Saturday, November 2, 2024
HomeDDOSKmsdBot - A Malware Written in Golang Infects Via SSH To Perform...

KmsdBot – A Malware Written in Golang Infects Via SSH To Perform DDoS Attack

Published on

Malware protection

Recently, a new piece of evasive malware has been discovered that is able to gain entry into enterprise systems in order to mine cryptocurrency by exploiting a key internet-facing protocol.

Researchers have discovered that the malware is capable of launching DDoS attacks, gaining a foothold on corporate networks, and launching attacks.

To maintain Akamai’s long-term security and stability, the Security Intelligence Response Team (SIRT) tracks, detects, documents, and publishes new developments.

- Advertisement - SIEM as a Service

Technical Analysis

Based on a comparison of the redress source outputs for the client binary and the ksmdm binary, it appears that they’re most likely the same thing, with slight differences in the code.

Redress is a free and open-source program that allows users to rebuild structures in Go binaries to facilitate reverse engineering in the Go programming language.

The fact that Golang is considered to be a critical tool which is undeniable because we are seeing an increasing number of attackers utilizing it for their malicious purposes.

According to the Akamai report, this might be due to the fact that it has become almost impossible to reverse-engineer this language as a result of the way it is implemented.

Attack on Gaming Company

A honeypot that was dangled in an unusually open way by KmsdBot in an attempt to lure attackers was detected by the researchers as a result of the detection.

This new malware infects computers that host custom private servers for popular game titles like Grand Theft Auto Online. While it was detected by FiveM, which hosts custom private servers for Grand Theft Auto Online.

During the attack, attackers opened a UDP socket using a FiveM session token and constructed a packet using the datagram protocol (UDP).

In addition to these attacks, the researchers also noticed that the bot was also involved in a range of other attacks that were less specifically targeted.

A recent study by researchers has concluded that KmsdBot malware is rapidly spreading because it is supported by a multitude of architectures, including: 

  • Winx86
  • Arm64
  • mips64
  • x86_64

While the command-and-control infrastructure of the program communicates with the system using TCP.

Cryptomining

Based on the output of the sym.main.randomwallet() function, there may be one or more crypto wallet user accounts. 

In order to contribute to various mining pools, it is possible that these individuals are selected at random from a pool of thousands of individuals.

Cryptomining activity was not observed by the experts during the period of time they observed the botnet. At the time of the research, the experts came to know that only DDoS attacks were being perpetrated by the botnet.

Cryptomining activity can be launched by the bot since it is capable of doing so. Despite this, it was found that there is a command ./ksmdr -o pool.hashvault.pro in which ksmdr is actually the renamed version of the xmrig binary.

Mitigations

A botnet such as this provides a great example of how complex security threat has become and how much it has evolved over the years. 

A bot that was created as part of an app for a game app seems to have evolved into a malicious program that is attacking large luxury brands.

One of the most notable features of this threat is how it spreads, and not only that even it uses a weak SSH connection to gain access to the system.

In light of these problems, the experts have developed some mitigation measures to keep the security of the organization’s system and network intact. And here we have mentioned them below:-

  • Whenever you deploy an application or server, make sure that your credentials are strong and don’t use default credentials.
  • Make sure that you keep the deployed applications up-to-date with the latest security patches and that you check in on them periodically to ensure that they are still functioning properly.
  • Make sure you use public key authentication when connecting to SSH, as there is no better way to prevent this type of compromise of the system than to do this.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...