Man
Professional
- Messages
- 2,965
- Reaction score
- 488
- Points
- 83
Earlier this month, Akamai Security Research published a post about a new botnet called KmsdBot, which is used to mine crypto and launch DDoS attacks on gaming companies and luxury car makers. For example, one of the victims was gaming company FiveM, which is developing a multiplayer mod for Grand Theft Auto V.
The botnet infected victims' devices with malware via SSH and weakly protected login accounts. After this publication, Akamai experts continued to monitor the botnet and eventually neutralized it.
The researchers modified the latest version of the KmsdBot sample to interact with an IP address in the RFC 1918 address space. This allowed them to create a controlled environment in which they could send commands to the bot to test its functionality and attack signatures.
In this experiment, they were able to replace the master server (C2) address for sending commands and redirecting network traffic. During testing, they noticed that the botnet stopped sending attack commands after it detected one incorrect command being received.
Meanwhile, the bot code does not have a built-in syntax error check. As a result, it led to the failure of the entire botnet code and its shutdown.
After infection, the botnet does not remain on the user's device, making it more difficult to track and catch. This is the vulnerability that Akamai Security Research experts took advantage of. Since the infecting file does not remain on the device, after the bot is stopped, the attackers need to hack the device again and infect it.
The botnet infected victims' devices with malware via SSH and weakly protected login accounts. After this publication, Akamai experts continued to monitor the botnet and eventually neutralized it.
The researchers modified the latest version of the KmsdBot sample to interact with an IP address in the RFC 1918 address space. This allowed them to create a controlled environment in which they could send commands to the bot to test its functionality and attack signatures.
In this experiment, they were able to replace the master server (C2) address for sending commands and redirecting network traffic. During testing, they noticed that the botnet stopped sending attack commands after it detected one incorrect command being received.
Meanwhile, the bot code does not have a built-in syntax error check. As a result, it led to the failure of the entire botnet code and its shutdown.
After infection, the botnet does not remain on the user's device, making it more difficult to track and catch. This is the vulnerability that Akamai Security Research experts took advantage of. Since the infecting file does not remain on the device, after the bot is stopped, the attackers need to hack the device again and infect it.
