KmsdBot – A Malware Written in Golang Infects Via SSH To Perform DDoS Attack

Recently, a new piece of evasive malware has been discovered that is able to gain entry into enterprise systems in order to mine cryptocurrency by exploiting a key internet-facing protocol.

Researchers have discovered that the malware is capable of launching DDoS attacks, gaining a foothold on corporate networks, and launching attacks.

To maintain Akamai’s long-term security and stability, the Security Intelligence Response Team (SIRT) tracks, detects, documents, and publishes new developments.

- Advertisement -

Technical Analysis

Based on a comparison of the redress source outputs for the client binary and the ksmdm binary, it appears that they’re most likely the same thing, with slight differences in the code.

Redress is a free and open-source program that allows users to rebuild structures in Go binaries to facilitate reverse engineering in the Go programming language.

The fact that Golang is considered to be a critical tool which is undeniable because we are seeing an increasing number of attackers utilizing it for their malicious purposes.

According to the Akamai report, this might be due to the fact that it has become almost impossible to reverse-engineer this language as a result of the way it is implemented.

Attack on Gaming Company

A honeypot that was dangled in an unusually open way by KmsdBot in an attempt to lure attackers was detected by the researchers as a result of the detection.

This new malware infects computers that host custom private servers for popular game titles like Grand Theft Auto Online. While it was detected by FiveM, which hosts custom private servers for Grand Theft Auto Online.

During the attack, attackers opened a UDP socket using a FiveM session token and constructed a packet using the datagram protocol (UDP).

In addition to these attacks, the researchers also noticed that the bot was also involved in a range of other attacks that were less specifically targeted.

A recent study by researchers has concluded that KmsdBot malware is rapidly spreading because it is supported by a multitude of architectures, including: 

• Winx86
• Arm64
• mips64
• x86_64

While the command-and-control infrastructure of the program communicates with the system using TCP.

Cryptomining

Based on the output of the sym.main.randomwallet() function, there may be one or more crypto wallet user accounts. 

In order to contribute to various mining pools, it is possible that these individuals are selected at random from a pool of thousands of individuals.

Cryptomining activity was not observed by the experts during the period of time they observed the botnet. At the time of the research, the experts came to know that only DDoS attacks were being perpetrated by the botnet.

Cryptomining activity can be launched by the bot since it is capable of doing so. Despite this, it was found that there is a command ./ksmdr -o pool.hashvault.pro in which ksmdr is actually the renamed version of the xmrig binary.

Mitigations

A botnet such as this provides a great example of how complex security threat has become and how much it has evolved over the years. 

A bot that was created as part of an app for a game app seems to have evolved into a malicious program that is attacking large luxury brands.

One of the most notable features of this threat is how it spreads, and not only that even it uses a weak SSH connection to gain access to the system.

In light of these problems, the experts have developed some mitigation measures to keep the security of the organization’s system and network intact. And here we have mentioned them below:-

• Whenever you deploy an application or server, make sure that your credentials are strong and don’t use default credentials.
• Make sure that you keep the deployed applications up-to-date with the latest security patches and that you check in on them periodically to ensure that they are still functioning properly.
• Make sure you use public key authentication when connecting to SSH, as there is no better way to prevent this type of compromise of the system than to do this.

Managed DDoS Attack Protection for Applications – Download Free Guide