{"id":4646,"date":"2022-11-14T20:10:28","date_gmt":"2022-11-14T14:40:28","guid":{"rendered":"https:\/\/qadit.com\/blog\/?p=4646"},"modified":"2022-11-14T20:10:28","modified_gmt":"2022-11-14T14:40:28","slug":"kmsdbot-a-new-evasive-bot-for-cryptomining-activity-and-ddos-attacks","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/kmsdbot-a-new-evasive-bot-for-cryptomining-activity-and-ddos-attacks\/","title":{"rendered":"KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks"},"content":{"rendered":"

Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials.<\/h2>\n

Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak login credentials.<\/p>\n

The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.<\/p>\n

The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.<\/p>\n

\u201cwe found an interesting log entry: A cryptominer with distributed denial-of-service (DDoS) functionality tailored to the gaming industry. It\u2019s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang.\u201d reads the post published by Akamai. \u201cThe targets range from gaming companies to luxury car brands to security companies \u2014 this malware is almost erratic with regard to its targets.\u201d<\/em><\/p>\n

\"\"<\/a><\/p>\n

The analysis of the ksmdx sample reveals functions to perform scanning operations, software updates and crypto mining activities.<\/p>\n

Once a system has been infected, the ksmdx binary notifies the C2 that by sending it an HTTP POST request with the notification of \u2018Bruh Started:\u2019.<\/p>\n

The bot downloads a list of login credentials to use when it scans for open SSH ports.<\/p>\n

When analyzing the cryptomining activity, the experts noticed that operators used crypto wallets allegedly chosen randomly to contribute to various mining pools.<\/p>\n

The bot does implement its own functionality to launch cryptomining activity, however, it is actually launching a renamed xmrig binary.<\/p>\n

\u201cThis botnet is a great example of the complexity of security and how much it evolves. What seems to have started as a bot for a game app has pivoted into attacking large luxury brands. What\u2019s new is how it infects \u2014 via an SSH connection that uses weak login credentials.\u201d concludes the report. \u201cThe good news is that the same techniques we recommend to keep most organizations\u2019 systems and networks secure still apply here. <\/em><\/p>\n