A new version of KmsdBot malware has been discovered with an enhanced capability of exploiting IoT devices. The new version is said to have features such as Telnet Scanning, and more CPU architectures. In research conducted by Akamai Security Intelligence Response Team (ASIRT) the Kmsdx botnet has been on their monitoring radar since November 2022, and has since then evolve into something much sinister.
In a statement issued on their research blog by Larry Cashdollar:
“This time, we discovered an updated Kmsdx binary with an IoT slant, which is a stark expansion of capabilities compared with previous versions.”
The new upgrade of the malware, in targeting IoT devices, gives a deep analysis of the malicious hacker’s intents, and his threat landscape in general.
Information about the New Kmsdx Botnet and Its Capabilities:
- The new Kmsdx binary has extends towards IoT devices.
- Its binary files include support for scanning of telnet services, and extends its support to more CPU, thereby creating more powerful attack and attack surface.
- The new updated capabilities have been noticed since mid-July 2023.
- Extends its targets towards private gaming servers, cloud hosting providers, a list of government Institutions, and the educational sector.
- The discovery and activities carried out by the malware, indicates that vulnerable IoT devices, are significant threat on the cyberspace, requiring the need to adopt a stricter security measures and security updates.
How the KmsdBot targets IoT Devices:
The KmsdBot according to Akamai, has had quite a journey from the initial discovery, down to the botnet author crashing it, and then all the way to Akamai SIRT emulating the C2-Server of the botnet.
In a statement by Larry:
“Our research into this ever-evolving malware has continued, leading to this fourth version: an updated Kmsdx binary. The binary is responsible for scanning random IP addresses for open SSH ports and attempting to log in to the system with a password list downloaded from the C2-server.”
The research team stated that the updated binary includes support for telnet scanning and verifying if a telnet service is legitimate or not. Further discovery shows the list of the KmsdBot much bigger expanding to more CPU architectures that are found in IoT devices.
The sample of the malware first checks for valid telnet services, by determining if any data is received by the initial connection over the port 23. It also checks on what services are listening on port 23, and if they are valid services that present a prompt, as opposed to just disconnecting.
A successful response by the scanning procedures, moves the malware to its next stage, which entails running an infection payload. However, if it fails it terminates the scanning.
Larry stated:
“This seemingly simple IP scan actually has a bit of depth to it. This legitimacy check is one of the factors that clued us into the possibility of targeting IoT devices. Some IoT devices have telnet listening, and also have an access control list in place that drops the connection if the IP address isn’t from an RFC 1918 address space.”
Note: The RFC 1918, is an Address Allocation for Private Internets, which describes the range of IP addresses reserved for internal network configurations.
The Telnet scanner calls in a like manner of the SSH scanner; calling a function which then generates a random IP address. The botnet then tries to connect on port 23 of that IP address. The Telnet scanner however, doesn’t halt at the simple port 23 service decision (listening/not listening).
Impact of the Upgraded KmsdBot Malware:
Akamai in its findings the “upgraded KmsdBot malware, have been less than successful. This time the update seems to have achieved success.”
In addition to the scanning check functionalities, the malware supports a list of additional architectures. The scanning of the telnet services is said to have been ongoing since July 16, 2023 according to the bot tracking logs retrieved by Akamai.
The finding from the audit logs shows that the botnet contains different filenames such as (app, euro, euro2, euro3, euro4, lilstat, stats, and users), additional content of the files, are credentials for different applications.
Login credentials belonging to organizations such as Hadoop, Oracle, Elasticsearch, etc. were found in the app. Credentials such as TeamSpeak, CentOS, Ubuntu, and other login combinations were found in the file named in “euro.”
The botnet is said to primarily target game servers, hosting companies, and other target that seem out of scope; with the new additional target focusing on the Romanian government webportal, and a list of universities based in Spain are not left out either.
The arbitrary movement to various target by the threat actors behind the botnet indicates the botnet is a botnet-for-hire service based. As the attacks have been shown to be targeting services running on port 80, and 443; however, the primary focus of the botnet attack is on “Bigdata.”
The researchers posted the indicator of compromise, on the research lab-blog, and has promised to document and share more findings about the bot.
Put your comments below in the comment section on your thoughts about this.