Wednesday, April 30, 2025
HomeDDOSKmsdBot - A Malware Written in Golang Infects Via SSH To Perform...

KmsdBot – A Malware Written in Golang Infects Via SSH To Perform DDoS Attack

Published on

SIEM as a Service

Follow Us on Google News

Recently, a new piece of evasive malware has been discovered that is able to gain entry into enterprise systems in order to mine cryptocurrency by exploiting a key internet-facing protocol.

Researchers have discovered that the malware is capable of launching DDoS attacks, gaining a foothold on corporate networks, and launching attacks.

To maintain Akamai’s long-term security and stability, the Security Intelligence Response Team (SIRT) tracks, detects, documents, and publishes new developments.

- Advertisement - Google News

Technical Analysis

Based on a comparison of the redress source outputs for the client binary and the ksmdm binary, it appears that they’re most likely the same thing, with slight differences in the code.

Redress is a free and open-source program that allows users to rebuild structures in Go binaries to facilitate reverse engineering in the Go programming language.

The fact that Golang is considered to be a critical tool which is undeniable because we are seeing an increasing number of attackers utilizing it for their malicious purposes.

According to the Akamai report, this might be due to the fact that it has become almost impossible to reverse-engineer this language as a result of the way it is implemented.

Attack on Gaming Company

A honeypot that was dangled in an unusually open way by KmsdBot in an attempt to lure attackers was detected by the researchers as a result of the detection.

This new malware infects computers that host custom private servers for popular game titles like Grand Theft Auto Online. While it was detected by FiveM, which hosts custom private servers for Grand Theft Auto Online.

During the attack, attackers opened a UDP socket using a FiveM session token and constructed a packet using the datagram protocol (UDP).

In addition to these attacks, the researchers also noticed that the bot was also involved in a range of other attacks that were less specifically targeted.

A recent study by researchers has concluded that KmsdBot malware is rapidly spreading because it is supported by a multitude of architectures, including: 

  • Winx86
  • Arm64
  • mips64
  • x86_64

While the command-and-control infrastructure of the program communicates with the system using TCP.

Cryptomining

Based on the output of the sym.main.randomwallet() function, there may be one or more crypto wallet user accounts. 

In order to contribute to various mining pools, it is possible that these individuals are selected at random from a pool of thousands of individuals.

Cryptomining activity was not observed by the experts during the period of time they observed the botnet. At the time of the research, the experts came to know that only DDoS attacks were being perpetrated by the botnet.

Cryptomining activity can be launched by the bot since it is capable of doing so. Despite this, it was found that there is a command ./ksmdr -o pool.hashvault.pro in which ksmdr is actually the renamed version of the xmrig binary.

Mitigations

A botnet such as this provides a great example of how complex security threat has become and how much it has evolved over the years. 

A bot that was created as part of an app for a game app seems to have evolved into a malicious program that is attacking large luxury brands.

One of the most notable features of this threat is how it spreads, and not only that even it uses a weak SSH connection to gain access to the system.

In light of these problems, the experts have developed some mitigation measures to keep the security of the organization’s system and network intact. And here we have mentioned them below:-

  • Whenever you deploy an application or server, make sure that your credentials are strong and don’t use default credentials.
  • Make sure that you keep the deployed applications up-to-date with the latest security patches and that you check in on them periodically to ensure that they are still functioning properly.
  • Make sure you use public key authentication when connecting to SSH, as there is no better way to prevent this type of compromise of the system than to do this.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...