Experts shared their new findings regarding a highly evasive malware, dubbed KmsdBot, that leverages the Secure Shell (SSH) cryptographic network protocol to access targeted computers and mine the victims’ crypto assets, alongside deploying DDoS attacks.
KmsdBot is malware written in the Go programming language, commonly seen targeting organisations ranging from the gaming sector to luxury automotive and security firms. According to a security researcher, KmsdBot infects systems through an SSH connection with weak login credentials. In evading security detection, the malware does not remain persistently on an infected system.
KmsdBot malware derived its name from the ‘kmsd.exe’ executable, downloaded from a remote server after a successful attack.
The malware’s operators also designed it to support many computer operating systems, including Winx86, mips64, Arm64, and x86_64.
Some of the known capabilities of KmsdBot malware include scanning operations and spreading itself by downloading a list of login credential combinations, such as usernames and passwords. Experts also noted that the malware could control the crypto-mining process and update the payload as needed.
One of the first observed targets of the malware was ‘FiveM’, a gaming firm that releases mods for popular video games like GTA V.
For the malware’s DDoS attacks, the researchers said that its operator launched Layer 4 and 7 attacks against its targets, involving the swamp of TCP, UDP, or HTTP GET requests to overwhelm the resources of the targeted servers and disrupt its network response and processing procedures.
Initially launched as a bot for a gaming application, the KmsdBot malware is considered a great example of how much a malicious payload can evolve and enhance its complexity since threat actors are now using it to attack large brands and organisations.
In the first quarter of 2022, researchers discovered a 12% rate of vulnerable software being utilised for deploying cryptocurrency miners, with a significant jump of rate to 17% come the third quarter. The researchers also said that about half of the analysed malicious mining software samples also mine Monero (XMR) on victims’ computers.
Ethiopia is the most targeted country with such attacks for 2022’s third quarter, with a 2.38% rate, following Kazakhstan with 2.13% and Uzbekistan with 2.01%.
