Hajime

Hajime is a smart malware that targets IoT devices and is a decentralized p2p botnet. Unlike other botnets, it seems to be securing infected devices so they can’t be compromised by other malware. Despite its wide spread, the purpose of Hajime is still unknown.

Key Insights

Hajime scans the internet for devices with Telnet services and default or weak credentials. Once in, it uses p2p for command and control, so it’s more resistant to takedown compared to traditional botnets that rely on central servers.

Capabilities and Behavior

Written in C, Hajime is modular and can receive updates and new features over time. It doesn’t have a payload to launch attacks like DDoS. Instead, it seems to be propagating itself and securing the devices it infects, maybe to prevent other malware from exploiting them.

Current Status and Impact

As of 2017, Hajime had infected nearly 300,000 devices worldwide, with most of the infections in Iran, Brazil, and Vietnam. The creator is unknown and no malicious activities have been attributed to it so far, so the purpose of Hajime is still a mystery.

Known Variants

No variants of Hajime have been found. The malware itself is a unique one with no offshoots.

Mitigation Strategies

Disable default credentials on all IoT devices and use unique strong passwords.
Update device firmware regularly to patch known vulnerabilities.
Segment the network to isolate IoT devices from critical systems.
Monitor for unusual network traffic.

Targeted Industries or Sectors

Hajime affects IoT devices which are present in various industries such as manufacturing, logistics and smart home. Any sector that uses IoT devices with default or weak security is at risk.

Associated Threat Actors

The creator of Hajime is unknown. Some researchers think it might be a vigilante hacker who wants to secure IoT devices from other malware but this is unconfirmed.