When reviewing the logs on one of the traps, Akamai Technologies experts found commands to download an executable file called kmsd. As it turned out, this is a previously undocumented bot that can generate a DDoS stream, mine cryptocurrency, and independently distribute via SSH brute force.
The analysis showed that the new malware is written in Go and supports different architectures, including x86, x86-64, ARM64 and MIPS64. The list of targets of KmsdBot DDoS attacks, as Akamai called it, includes representatives of the gaming industry, IT companies, and luxury car manufacturers.
The malware is remarkable in that it does not try to gain a foothold in the system - apparently, this trick is designed to provide it with greater secrecy. For the same purpose, the bot often receives updates, changing the set of functions and the IP address of the control center, and also keeps mining under control - it stops the process and then restarts it.
Self-propagation mechanisms allow the malware to perform an SSH port scan and download a list of usernames and passwords from the command and control server for brute-force attack. The exchange with C2 is carried out using TCP packets.
The first KmsdBot DDoS attack reported by experts was against one of Akamai's clients, the creator of FiveM, a multiplayer mod for Grand Theft Auto V. The attackers opened a UDP socket and sent junk packets using FiveM's session token; this attack was aimed at depleting resources on the server.
Other DDoS techniques identified include SYN-ACK flood and HTTP flood (POST and GET). Cases of using a cryptominer (XMRig) have not yet been recorded.
Cross-platform DDoS bots are no longer a rarity; the tendency to combine them with miners for greater returns is also not new. Sometimes attackers, using malware with rich DDoS capabilities, try to monetize them in another way - for example, by forcing them to extort money to stop the attack.
---
An updated version of the malicious botnet called KmsdBot now targets IoT devices with enhanced capabilities and attack surface.
Akamai researchers came to this conclusion, noting from their analysis that the binary now includes support for Telnet scanning and more CPU architectures.
The latest iteration, seen since July 16, 2023, comes just months after the botnet was revealed to be being implemented as a DDoS service in the cyber underground.
At the same time, it is actively supported, and therefore provides high efficiency in real attacks.
KmsdBot was first studied and documented in November 2022.
Golang-based malware has targeted companies ranging from gaming companies, cloud hosting providers, to luxury car brands, but has since been used in attacks on Romanian government and Spanish educational sites.
The malware has the functionality to scan wide ranges of IP addresses for open SSH ports and brute force password lists downloaded from a server controlled by attackers.
The new updates include Telnet scanning and legitimate telnet service checks, and allow coverage of more CPU architectures commonly found in IoT devices.
Updated features have been seen since mid-July 2023.
Like the SSH scanner, the Telnet scanner calls a function that generates a random IP address and then tries to connect to port 23 on that IP address.
However, the Telnet scanner doesn't stop at just listening on a port, also checking to see if the receiving buffer contains data.
Telnet is attacked by downloading a text file (telnet.txt) containing a list of commonly used weak passwords and their combinations for a wide range of applications, largely relying on the fact that many IoT devices have default credentials.
The sustained KmsdBot malware campaign shows that IoT devices are ubiquitous on the Internet and vulnerable, making them attractive targets for networking infected systems.
From a technical standpoint, adding telnet scanning capabilities would expand a botnet's attack surface, allowing it to attack a wider range of devices.
Moreover, as malware evolves and adds support for more CPU architectures, it poses a serious security threat to devices connected to the Internet, increasing the need for security measures and regular updates.
The analysis showed that the new malware is written in Go and supports different architectures, including x86, x86-64, ARM64 and MIPS64. The list of targets of KmsdBot DDoS attacks, as Akamai called it, includes representatives of the gaming industry, IT companies, and luxury car manufacturers.
The malware is remarkable in that it does not try to gain a foothold in the system - apparently, this trick is designed to provide it with greater secrecy. For the same purpose, the bot often receives updates, changing the set of functions and the IP address of the control center, and also keeps mining under control - it stops the process and then restarts it.
Self-propagation mechanisms allow the malware to perform an SSH port scan and download a list of usernames and passwords from the command and control server for brute-force attack. The exchange with C2 is carried out using TCP packets.
The first KmsdBot DDoS attack reported by experts was against one of Akamai's clients, the creator of FiveM, a multiplayer mod for Grand Theft Auto V. The attackers opened a UDP socket and sent junk packets using FiveM's session token; this attack was aimed at depleting resources on the server.
Other DDoS techniques identified include SYN-ACK flood and HTTP flood (POST and GET). Cases of using a cryptominer (XMRig) have not yet been recorded.
Cross-platform DDoS bots are no longer a rarity; the tendency to combine them with miners for greater returns is also not new. Sometimes attackers, using malware with rich DDoS capabilities, try to monetize them in another way - for example, by forcing them to extort money to stop the attack.
---
An updated version of the malicious botnet called KmsdBot now targets IoT devices with enhanced capabilities and attack surface.
Akamai researchers came to this conclusion, noting from their analysis that the binary now includes support for Telnet scanning and more CPU architectures.
The latest iteration, seen since July 16, 2023, comes just months after the botnet was revealed to be being implemented as a DDoS service in the cyber underground.
At the same time, it is actively supported, and therefore provides high efficiency in real attacks.
KmsdBot was first studied and documented in November 2022.
Golang-based malware has targeted companies ranging from gaming companies, cloud hosting providers, to luxury car brands, but has since been used in attacks on Romanian government and Spanish educational sites.
The malware has the functionality to scan wide ranges of IP addresses for open SSH ports and brute force password lists downloaded from a server controlled by attackers.
The new updates include Telnet scanning and legitimate telnet service checks, and allow coverage of more CPU architectures commonly found in IoT devices.
Updated features have been seen since mid-July 2023.
Like the SSH scanner, the Telnet scanner calls a function that generates a random IP address and then tries to connect to port 23 on that IP address.
However, the Telnet scanner doesn't stop at just listening on a port, also checking to see if the receiving buffer contains data.
Telnet is attacked by downloading a text file (telnet.txt) containing a list of commonly used weak passwords and their combinations for a wide range of applications, largely relying on the fact that many IoT devices have default credentials.
The sustained KmsdBot malware campaign shows that IoT devices are ubiquitous on the Internet and vulnerable, making them attractive targets for networking infected systems.
From a technical standpoint, adding telnet scanning capabilities would expand a botnet's attack surface, allowing it to attack a wider range of devices.
Moreover, as malware evolves and adds support for more CPU architectures, it poses a serious security threat to devices connected to the Internet, increasing the need for security measures and regular updates.
