A new evasive and complex malware named KmsdBot is targeting the SSH connection that uses weak login credentials. Its goal is to gain entry into targeted systems and launch cryptomining operations and carry out DDoS attacks.
About KmsdBot
According to Akamai researchers, KmsdBot is a Golang-based malware that leverages cryptographic protocol to gain initial entry into targeted systems.
- KmsdBot is capable of performing scanning operations for open SSH ports and spreading itself by downloading a list of login credentials. It can launch cryptominers and DDoS attacks.
- There is a client binary that communicates with the C2 server, controls the mining process, and updates the malware.
- Another binary seems to perform cryptomining operations and additional attack operations.
However, it does not stay persistent on the infected system and deletes itself upon restart, as a way of evading detection.
The targets
- KmsdBot is targeting companies in the gaming technology industries and luxury car manufacturers.
- Its first observed target was a gaming company named FiveM, a multiplayer mod for Grand Theft Auto V, which allows players to access custom role-playing servers.
Attack details
- The malware includes specific targeted attacks as well as generic Layer 4 and Layer 7 DDoS attacks.
- It sends TCP, UDP, HTTP POST, or GET requests with C2 command to overwhelm a target server's resources and hamper its ability to process and respond.
- Moreover, it contains cross-compiled binaries for various architectures such as Winx86, Arm64, mips64, ppc64le, ppc64, x86_64, and others.
Conclusion
According to the researchers, KmsdBot is unpredictable with regard to its targets. Thus, organizations are recommended to deploy appropriate access controls across the networks to ensure that only authorized personnel is permitted access. Take extra security measures such as firewalls and network access control lists to mitigate DDoS attacks and prevent cryptojacking attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7ba4_shutterstock_772039471.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/df6e_shutterstock_1090003628.jpg)
