Tuesday, November 12, 2024
HomeMalwareKmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

Published on

Malware protection

Researchers from Akamai have continued to study the cryptomining botnet KmsdBot and have looked at its attack flow. It is believed that KmsdBot is a distributed denial of service (DDoS) for hire due to the wide range of companies and regions that were attacked.

“We have continued to analyze and play around with KmsdBot, including modifying the binary and pointing it at our own command and control (C2), which led to us watching the threat actor crash the botnet”, Akamai researchers

Among the major targets were luxury brands and security companies, as well as the game modifications Grand Theft Auto V and Red Dead Redemption 2 and FiveM and RedM.

- Advertisement - SIEM as a Service

Asia, North America, and Europe represent the majority of the victims, according to observed IPs and domains.

Launch DDoS Attacks

While analyzing the attack traffic, the first noteworthy attack is referred to as “bigdata” and makes 1 Mb POST requests to the designated port. The payload looks to be garbage even though the Content-Type header says it is URL-encoded.

Researchers say this attack attempts to increase the amount of bandwidth needed to process each request by sending a lot of data in the body of each request. Hence, this is one of the most often used functionalities for this botnet and is a fairly basic feature that almost all DDoS campaigns use.

Also, the TCP protocol’s three-way handshake can be abused by the attacker by utilizing an SYN flood to create half-open connections on several ports. 

This makes it difficult for the target server to handle the volume of traffic and makes it much more difficult for it to discriminate between malicious and legitimate connection requests.

Instead of concentrating on the overall effect of the size of the single packet, there were also some standard HTTP(s) POST and traffic instructions that blend in with standard traffic by closely resembling a normal packet in both size and format.

Here the basic goal of HTTP-based attacks is to send out a lot of packets, which makes it difficult to identify them from legitimate traffic and block them while defending against an attack.

 “After observing this traffic for some time, we can see that after hitting a certain specified packet size, it will start back at a smaller size and grow again, repeating this process over and over”, explains researchers.

Targets Gaming, Luxury Brands, and Even Security Companies

The platforms FiveM and RedM, which are used to host modified “Grand Theft Auto V” and “Red Dead Redemption 2” servers, let server owners make new rules and add new elements to the server that wasn’t in the standalone game.

“A large concentration of targets was located in Asia, North America, and Europe based on the observed IPs and domains”, Akamai

Fig. 4: KmsdBot infection attempts
KmsdBot infection attempts

Final Word

KmsdBot, was intriguing for a few notable reasons: It was written in Go, it had cryptomining functionality, and it had seemingly erratic targets.

Akamai researchers noticed that KmsdBot follows some of the general tendencies, especially in terms of the language used. Malicious code is rapidly being created in a variety of languages, including Go and even compiled Python.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...