{
	"id": "6aa97bed-78bb-4a80-a7cb-1ace78fb7d80",
	"created_at": "2026-04-06T00:22:30.246428Z",
	"updated_at": "2026-04-10T03:22:05.043777Z",
	"deleted_at": null,
	"sha1_hash": "c7e2ce37bdd0cac84f5e2a710df5e03be3f269fa",
	"title": "Attackers Abuse MobileIron’s RCE to deliver Kaiten | Blackarrow",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3118345,
	"plain_text": "Attackers Abuse MobileIron’s RCE to deliver Kaiten | Blackarrow\r\nBy Administrador\r\nPublished: 2020-10-13 · Archived: 2026-04-05 21:51:18 UTC\r\nIn September this year the security researcher Orange Tsai published various vulnerabilities and P0Cs related to\r\nthe MobileIron’s mobile Device Management (MDM) solution.\r\nThe Tarlogic Blue Team has identified the use of CVE-2020-15505 by a certain group of attackers to download\r\nand run Kaiten\r\nKaiten (aka Tsunami)\r\nThrough the JNDI injection related to said CVE, the attackers are downloading the well-known Kaiten. This\r\nfamily of malware has been used by multiple actors for more than 15 years (its beginnings date back to 2002)\r\nmainly as an offensive tool to generate DoS attacks and, currently, for the mining of cryptocurrencies.\r\nThere are dozens of variants associated with this malicious code; possibly as a result of the publication of its\r\nsource code. In February 2016, a variant of Kaiten was distributed by a group of cybercriminals through malicious\r\nISO images after compromising an instance of Linux Mint WordPress and modify its download URLs. Another\r\nvariant, dubbed Amnesia in April 2017 by PaloAlto, was related to the infection of multiple CCTV-DVR systems\r\naround the world by taking advantage of a certain RCE vulnerability that affected more than 70 vendors.\r\nIn April 2018, Netlab 360 researchers identified a botnet (nicknamed Muhstik) also linked to this malicious code\r\nthat used a certain Drupal vulnerability as the input vector.\r\nThe capabilities of this malware are mainly focused on denial of service attacks by implementing various\r\nfunctions to do TCP/UDP flooding to the victims; all instructed by means of the IRC protocol. Attackers also have\r\nthe ability to execute commands and download files.\r\nMalware characteristics:\r\nThe binary identified in one of our clients corresponds to 969013b23e440fe31be70daac6d7edb2. Its download\r\noriginates from a certain dropper developed in bash whose goal is, in the first place, to kill multiple processes\r\nrelated to miners and services that require a high level of CPU.\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 1 of 10\n\nFigure 1. bot_kill function\r\nOnce these processes are finished, the script downloads, via “curl”, the Kaiten malware from the URL\r\nhttps://lib.pygensim.com/gensim in the directory defined by the INSTALL variable (/var/tmp/systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/jf2fa44a/aPs52s/jKal2d), it sets\r\nexecution permissions and finally runs it under the name of “kworker”.\r\nFigure 2. Tsunami execution\r\nThe signature of the harmful code is as follows:\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 2 of 10\n\nMD5: 969013b23e440fe31be70daac6d7edb2\r\nSHA1: 5369a0122fd3b75ffdd110cc86ccc2d8ae2fa130\r\nSHA256: 0c27c64fc118ef56048b7d994162c4a0d008b4582c5eeb6923949a286f45ec52\r\nThe file is an elf x64 binary compiled with GCC (Alpine 9.3.0). The following image shows its static properties\r\nfrom the information of its headers.\r\nFigure 3. ELF information: kworker\r\nBy analyzing the strings embedded within the binary it can be quickly inferred that the sample corresponds to\r\nKaiten. In the following image you can see the strings associated with the help menu where some of the IRC\r\nNOTICE messages that will be used to report the status and actions of the bot are shown.\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 3 of 10\n\nFigure 4. Strings binary vs source code Kaiten\r\nBy reverse engineering it,  we can confirm that the malware author compiled the publicly available sources\r\nwithout hardly modifying the logic of their functions:\r\nFigure 5. Function structure\r\nThe binary, after executing, makes a fork() call and later tries to establish communication with the control server\r\nusing the IRC protocol. To do this, it generates a random nickname/user and connects to certain channel waiting to\r\nreceive the instructions from their operators.\r\nFigure 6. Fork y C\u0026C connection\r\nThe code implements various functions to carry out different types of denial of service attacks (SYN / UDP\r\nflooding, etc.). The following image shows the logic to execute one of them, specifically, the so-called Tsunami\r\nattack. The operators will instruct the bots to execute, for a certain time (set in seconds), a DOS TCP attack\r\nplaying with various flags of this protocol.\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 4 of 10\n\nFigure 7. Tsunami (DOS)\r\nThe malicious code also has the ability to execute commands on the victim via the “SH” command. To do this,\r\nfirst, it adds the command to execute in the $PATH env variable and then makes use of popen() to run it.\r\nFigure 8. Command execution\r\nAnother Kaiten’s features is downloading files via HTTP. The following image shows the function responsible for\r\nthis logic. Observe the strings associated to the GET request (with the “hardcoded” headers) with which the bot\r\nrequests to download files to the system.\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 5 of 10\n\nFigure 9. Command execution\r\nCommunications\r\nKaiten’s dropper as well as the IRC control server share the same malicious domain: lib.pygensim.com\r\nThis was created on October 2, 2020 (a few days before the incident) and currently resolves to the address\r\n198.98.56.111 (belonging to the bulletproof host “FranTech solutions”).\r\nFigure 10. Whois domain: pygensim.com\r\nAccording to the information indexed by Shodan the server corresponds to a Debian 10 with ports 22 (SSH) and\r\n443 exposed to Internet. Note that Shodan correctly identifies the IRC server running on socket 443.\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 6 of 10\n\nFigure 11. Shodan information\r\nThe following image shows the bot’s connection to the IRC server (UnrealIRCd 5.0.6) and the entry to the\r\n#internet channel (with the password “:key_of_channel”). The creation date of this server was October 4 at 6:12\r\nPM PDT.\r\nFigure 12. IRC server connection\r\nIt should be noted that the IRC server was active during the sample analysis and had about 300 bots.\r\nFigura 13. Active bots\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 7 of 10\n\nIn the previous output you can see the “Network Administrator” of this server under the nickname “magician”.\r\nFigura 14. Magician (Network Administrator)\r\nThe number of bots by country that were found at the time of analysis is listed below:\r\n70 US, United States\r\n30 DE, Germany\r\n22 GB, United Kingdom\r\n19 HK, Hong Kong\r\n12 NL, Netherlands\r\n12 IT, Italy\r\n11 RU, Russian Federation\r\n10 SK, Slovakia\r\n10 FR, France\r\n10 CN, China\r\n10 AU, Australia\r\n9 TR, Turkey\r\n9 IE, Ireland\r\n8 AT, Austria\r\n7 MY, Malaysia\r\n6 SG, Singapore\r\n6 GL, Greenland\r\n5 TW, Taiwan\r\n5 CH, Switzerland\r\n4 MX, Mexico\r\n4 KR, Korea, Republic of\r\n4 JP, Japan\r\n4 CZ, Czech Republic\r\n4 CA, Canada\r\n4 AR, Argentina\r\n3 BE, Belgium\r\n2 SE, Sweden\r\n2 RS, Serbia\r\n2 RO, Romania\r\n2 PR, Puerto Rico\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 8 of 10\n\n2 LU, Luxembourg\r\n2 ID, Indonesia\r\n2 HU, Hungary\r\n2 DO, Dominican Republic\r\n1 ES, Spain\r\n1 BR, Brazil\r\nIndicators of compromise\r\nYara rule:\r\nrule Tsunami {\r\n meta:\r\n author = \"BlackArrow Unit (Tarlogic)\"\r\n description = \"Detection of Tsunami/Kaiten sample based on embeded strings\"\r\n md5 = \"969013b23e440fe31be70daac6d7edb2\"\r\n sha1 = \"5369a0122fd3b75ffdd110cc86ccc2d8ae2fa130\"\r\n strings:\r\n $elf = { 7f 45 4c 46 }\r\n $x1 = \"= Kills the client\"\r\n $x2 = \"Kaiten wa goraku\"\r\n $x3 = \"syn flooder that will kill most\"\r\n $x4 = \"NOTICE %s :Killing pid\"\r\n $x5 = \":Removed all spoofs\"\r\n $x6 = \"TSUNAMI \u003ctarget\u003e\"\r\n $x7 = \"Do something like: 169.40\"\r\n $x8 = \":Spoofs: %d.%d.%d.%d\"\r\n $x9 = \"NOTICE %s :UDP \u003ctarget\u003e\"\r\n $x10 = \"NOTICE %s :GET \u003chttp address\u003e \"\r\n $x11 = \"NOTICE %s :NICK \u003cnick\u003e\"\r\n $x12 = \"NOTICE %s :UNKNOWN \u003ctarget\u003e\"\r\n $x13 = \"NOTICE %s :KILLALL\"\r\n $x14 = \"GETSPOOFS\"\r\n condition:\r\n $elf in (0..4) and 6 of ($x*) and filesize \u003c 120KB\r\n}\r\nIt is recommended to filter the domain linked to the C\u0026C (lib.pygensim.com) and establish rules in the\r\ncorresponding networking devices (firewalls, IDS / IPS) to identify outgoing IRC traffic as this is a protocol rarely\r\nused in business environments. In the case of using SNORT, consider the detection rules listed at:\r\nhttps://www.snort.org/search?query=irc\u0026submit_search=\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 9 of 10\n\nSource: https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nhttps://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/"
	],
	"report_names": [
		"attackers-abuse-mobileirons-rce-to-deliver-kaiten"
	],
	"threat_actors": [],
	"ts_created_at": 1775434950,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7e2ce37bdd0cac84f5e2a710df5e03be3f269fa.pdf",
		"text": "https://archive.orkl.eu/c7e2ce37bdd0cac84f5e2a710df5e03be3f269fa.txt",
		"img": "https://archive.orkl.eu/c7e2ce37bdd0cac84f5e2a710df5e03be3f269fa.jpg"
	}
}