Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises

  /     /     /  
Publicated : 23/11/2024   Category : security


Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises


KmsdBot takes advantage of SSH connections with weak login credentials to mine currency and deplete network resources, as it gains a foothold on enterprise systems.



A just-discovered evasive malware takes advantage of a key Internet-facing protocol to gain entry onto enterprise systems to mine cryptocurrency, launch distributed denial-of-service (DDoS) attacks, and gain a foothold on corporate networks, researchers have found.
Dubbed KmsdBot by researchers at Akamai Security Research, the botnet infects systems via a Secure Shell Protocol (SSH) connection with weak login credentials, according to a report published Thursday. SSH is a remote administration protocol that allows users to access, control, and modify their remote servers over the Internet.
The botnet poses the most risk for enterprises that have deployed cloud infrastructure, or corporate networks that are exposed to the Internet, says Larry Cashdollar, principal security intelligence response engineer at Akamai.
“Once this malware is running on your system, it essentially has a toehold into your network, he tells Dark Reading. It has functionality to update and spread itself, so its possible it can burrow itself deeper into your network and surrounding systems.”
The researchers observed KmsdBot — which is
written in Golang
as an evasive measure — targeting an erratic range of victims, including gaming and technology companies as well as luxury car manufacturers, Cashdollar wrote in a
Nov. 10 report
. Golang is a programming language thats attractive to threat actors because its difficult for researchers to reverse engineer.
Moreover, once it infects a system, the botnet does not maintain persistence, allowing it further to evade detection. It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang, Cashdollar wrote.
The researchers detected KmsdBot when it dangled an unusually open honeypot in the hopes of luring attackers. The first victim of the new malware they observed was an Akamai client — a gaming company called
FiveM
 that allows people to host custom private servers for Grand Theft Auto online, they said.
In the attack, threat actors opened a user datagram protocol (UDP) socket and built a packet using a FiveM session token. UDP is a communication protocol used across the Internet for time-sensitive transmissions, such as video playback or DNS look-ups.
This will cause the server to believe a user is starting a new session and waste additional resources besides network bandwidth, Cashdollar wrote.
The researchers also observed a range of other attacks by the bot that were less specifically targeted, they said. They included generic Layer 4 TCP/UDP packets with random data as a payload, or Layer 7 HTTP consisting of GET and POST requests to either the root path or a specified path set in the attack command, he said.
And while the bot does have cryptomining capability, researchers did not observe this particular aspect of its functionality — only the DDoS activity, Cashdollar added.
In general, KmsdBot has a wide attack surface, supporting multiple architectures including Winx86, Arm64, mips64, and x86_64, researchers said. It uses TCP to communicate with its command-and-control infrastructure.
Despite the danger it poses to enterprises, they can avoid falling victim to the botnet by using common network security best practices that they really should be implementing anyway, Cashdollar says.
The best way to prevent getting infected is to either use key-based authentication and disable password logins, or make sure youre using strong passwords, he tells Dark Reading.
Indeed, password compromise — whether its by using stolen credentials or
cracking a companys weak protections
 — remains one of the top ways threat actors access enterprise systems.
Beyond strong passwords, security experts recommend multifactor authentication, as well as
more advanced solutions
to solve this persistent issue. However, its advice that
remains unheeded
by users in many corporate settings, leaving networks exposed to threats such as KmsdBot. 
Other easy steps organizations can take to protect themselves, according to Cashdollar, include keeping deployed applications up to date with the latest security patches, as well as checking in on them from time to time to ensure they remain secure.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises