Friday, March 29, 2024

KmsdBot – A Malware Written in Golang Infects Via SSH To Perform DDoS Attack

Recently, a new piece of evasive malware has been discovered that is able to gain entry into enterprise systems in order to mine cryptocurrency by exploiting a key internet-facing protocol.

Researchers have discovered that the malware is capable of launching DDoS attacks, gaining a foothold on corporate networks, and launching attacks.

To maintain Akamai’s long-term security and stability, the Security Intelligence Response Team (SIRT) tracks, detects, documents, and publishes new developments.

Technical Analysis

Based on a comparison of the redress source outputs for the client binary and the ksmdm binary, it appears that they’re most likely the same thing, with slight differences in the code.

Redress is a free and open-source program that allows users to rebuild structures in Go binaries to facilitate reverse engineering in the Go programming language.

The fact that Golang is considered to be a critical tool which is undeniable because we are seeing an increasing number of attackers utilizing it for their malicious purposes.

According to the Akamai report, this might be due to the fact that it has become almost impossible to reverse-engineer this language as a result of the way it is implemented.

Attack on Gaming Company

A honeypot that was dangled in an unusually open way by KmsdBot in an attempt to lure attackers was detected by the researchers as a result of the detection.

This new malware infects computers that host custom private servers for popular game titles like Grand Theft Auto Online. While it was detected by FiveM, which hosts custom private servers for Grand Theft Auto Online.

During the attack, attackers opened a UDP socket using a FiveM session token and constructed a packet using the datagram protocol (UDP).

In addition to these attacks, the researchers also noticed that the bot was also involved in a range of other attacks that were less specifically targeted.

A recent study by researchers has concluded that KmsdBot malware is rapidly spreading because it is supported by a multitude of architectures, including: 

  • Winx86
  • Arm64
  • mips64
  • x86_64

While the command-and-control infrastructure of the program communicates with the system using TCP.

Cryptomining

Based on the output of the sym.main.randomwallet() function, there may be one or more crypto wallet user accounts. 

In order to contribute to various mining pools, it is possible that these individuals are selected at random from a pool of thousands of individuals.

Cryptomining activity was not observed by the experts during the period of time they observed the botnet. At the time of the research, the experts came to know that only DDoS attacks were being perpetrated by the botnet.

Cryptomining activity can be launched by the bot since it is capable of doing so. Despite this, it was found that there is a command ./ksmdr -o pool.hashvault.pro in which ksmdr is actually the renamed version of the xmrig binary.

Mitigations

A botnet such as this provides a great example of how complex security threat has become and how much it has evolved over the years. 

A bot that was created as part of an app for a game app seems to have evolved into a malicious program that is attacking large luxury brands.

One of the most notable features of this threat is how it spreads, and not only that even it uses a weak SSH connection to gain access to the system.

In light of these problems, the experts have developed some mitigation measures to keep the security of the organization’s system and network intact. And here we have mentioned them below:-

  • Whenever you deploy an application or server, make sure that your credentials are strong and don’t use default credentials.
  • Make sure that you keep the deployed applications up-to-date with the latest security patches and that you check in on them periodically to ensure that they are still functioning properly.
  • Make sure you use public key authentication when connecting to SSH, as there is no better way to prevent this type of compromise of the system than to do this.

Managed DDoS Attack Protection for Applications – Download Free Guide

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles