HQ/EMEAFind out how we can help your business
Recently, researchers have shared a new malware dubbed KmsdBot, a DDoS and cryptomining botnet infecting numerous organisations. New developments have emerged about the botnet, following an improperly formatted command by its author that led to it being taken down on its own.
The Go-lang-based malware infects systems, such as Windows, Arm64, and mips64, through an SSH connection with weak credentials. KmsdBot’s recent attacks involved executing DDoS on its victims, although it was also observed to possess a cryptomining capability.
In November, security researchers disclosed the botnet’s activities and continued monitoring the threat it poses. A part of their analysis includes modifying a KmsdBot sample and testing different scenarios related to its C2 functionalities.
While the analysis was in progress, the researchers found the malware’s code containing its IP address and C2 server port and modified it to be redirected to their IP space. This action allowed the researchers to have a controlled environment, send their commands to the bot sample, and see some developments from there.
KmsdBot seemed to have malfunctioned after receiving a command to send floods of junk data to Bitcoin’s website.
In an attempt to launch DDoS on Bitcoin’s official website, the researchers observed that KmsdBot had suddenly stopped working after it received a command from its operators to flood the targeted site with junk data.
According to the analysts, its operators have crashed their botnet by accident due to an improperly formatted command, specifically the one where they missed a space between the target website’s URL and port number.
The botnet does not error-proof commands before deploying them, thus resulting in a crash. As noted from the observed event, the malformed command had crashed all KmsdBot’s codes on infected machines and its C2 communication, which took it down.
It is also worth noting that the bot does not run any persistence mechanisms, prohibiting its authors from resuming all previously running operations unless they reinfected all targeted systems from scratch.
This remarkable observation concluded that all of KmsdBot’s previously active operations had been stopped. However, some signs of its reemergence were starting to transpire; therefore, users and its previously targeted website owners must upgrade their security defences against DDoS attack attempts.
