The Akamai Security Intelligence Response Team (SIRT) discovered a new version of the KmsdBot botnet that employed an updated Kmsdx binary targeting Internet of Things (IoT) devices.
KmsdBot is an evasive Golang-based malware that was first detected by Akamai in November 2022, it infects systems via an SSH connection that uses weak login credentials.
The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.
The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.
Since mid-July 2023, the binary observed in the attacks includes support for telnet scanning and support for more CPU architectures.
The bot targets private gaming servers, cloud hosting providers, and certain government and educational sites.
“The addition of IoT targeting also gives us some insight into the threat actor’s behavior and the landscape in general. Despite the existence of IoT for several years now, along with multiple large-scale IoT-driven distributed denial-of-service (DDoS) attacks, this new evolution demonstrates the vastness of the threat landscape still posed by IoT.” reads the report published by Akamai.
The sample checks for valid telnet services by attempting to connect to the devices on port 23, if the check passes (returns false) the bot proceeds to run the infection payload.
The telnet scanner also verifies that the receiving buffer contains data.
To investigate the attack and find the victims, the researchers looked at a text file (telnet.txt) that is downloaded by the bot. The file contains a list of commonly used credentials for varying applications. The use of these credentials unfortunately is still effective because many IoT devices are left with default credentials.
“each round of kmsd has had a few targets that have seemed out of scope. This time, a few Romanian government sites and some Spanish universities came under fire.” concludes the report which also includes Indicators of compromise (IoC). “The inconsistency of targeting is consistent with the threat actor behavior behind kmsd, which is likely a botnet-for-hire service. These attacks are targeting ports 80 and 443 with HTTP POST requests, and “bigdata” attacks remain the primary attack of choice.”
(SecurityAffairs – hacking, KmsdBot botnet)