Golang-based malware is the hype now among cybercriminals. ZeroFox researchers came across a new botnet—Kraken—written in Golang, which is still under development. Although it shares the same name as the Kraken botnet discovered in 2008, these two are indeed different.
Diving into details
Kraken first came to the spotlight in October 2021 and is under active development. However, it sports functionalities such as downloading and executing secondary payloads, taking screenshots of the compromised systems, and running shell commands. Other features include
Establishing persistence
Collecting host information for registration
Stealing crypto wallets
It is targeting Windows systems and uses SmokeLoader to install other malicious software.
Why it matters
Kraken’s features are constantly evolving and its developers are incorporating new elements and changing existing capabilities. Moreover, the use of SmokeLoader allows the botnet to rapidly scale in size and expand the attack surface. It can target Atomic Wallet, Ethereum, Bytecoin, Exodus, Armory, Zcash, Guarda, and Jaxx Liberty cryptocurrency wallets. The malware also downloads and executes RedLine Stealer to harvest credentials, credit card information, and autocomplete data from web browsers.
What else?
The botnet comes with an admin panel that allows the operators to upload new payloads, view command history and information, and interact with certain bots.
It can function as a channel to deploy other cryptominers and generic infostealers, which enables the threat actors to earn around $3,000 every month.
The bottom line
As of now, the end goals of Kraken’s authors remain unknown. ZeroFox recommends installing and upgrading all antivirus and intrusion detection software, implementing MFA, and avoiding clicking on attachments from unknown sources, among others.