KmsdBot: A Customized Botnet Family with DDoS and Mining Capabilities

KmsdBot: A Customized Botnet Family with DDoS and Mining Capabilities

agosto 7, 2023 | NSFOCUS

I. Overview

NSFOCUS Security Labs recently detected that a new botnet family KmsdBot, which combines DDoS and mining functions, has become active again. Attackers continue to replace C&C infrastructure and update Trojan versions. Compared with the traditional botnet-like family, KmsdBot adopts a brand-new architecture and is developed in the Go programming language. The simplicity, high efficiency and good cross-platform of Go greatly reduce the development cost of malicious code. At the same time, the native characteristics of Go language cause great annoyance to analysts.

The family first came to people’s attention in September 2022, when the sample functions were imperfect and the attack module was not mature enough. It gets its name because the initial loader is called “kmsd.exe”. In October of that year, KmsdBot attacked the servers of game company FiveM. The family started adding DDoS modules in version 2 and has been updated to version 4. The DDoS attack module is more complete, and the code is optimized simultaneously, improving the program’s stability and gradually fixing the code style.

The family is highly targeted in attack target selection, focusing on the gaming and high-end automobile manufacturing industries. It also has customized modules for attacks against FiveM. It is also worth noting that the C&C addresses of this family are concentrated in Western Europe and North America, which are significantly less active in Russia than in other countries and regions.

II. Sample Analysis

2.1 Version change

Table 2.1 Evolution of KmsdBot samples

REV.TIMESIGNATURESC&C
v1Aug 14, 2022The sample size is about half of version 4; no exclusive file-lock is set; there are only two currency wallet addresses; less judgment on the number of CPU cores of the target host; only mining-related functions, without DDoS function.109.206.241.112:51382
v2Sept. 4, 2022DDoS module and attack module for fiveM company are added to the sample; exclusive file-lock is added; mining module named ksmdr is added; a large number of duplicate function modules with repeated names appear, which are suspected to be used in tests.109.206.241.112:51383
v3Oct 27, 2022There are many duplicate names in the function list. Functions disappear and become more concise.171.22.30.31:57388
v4May 14, 2023There are two new functions for setting request header and reconnection in response to fiveM company attack, and the function for the token setting of fiveM company is deleted. The program is simplified and the stability is improved.107.189.6.203:62652

2.2 Affected platform
KmsdBot is developed in the Go language and spread by means of SSH brute force attack. The latest version has been adapted to the following platforms:

Table 2.2 Architecture supported by latest sample

x86_64
386
amd64
mips
mips64
mipsle
mips64le
s390x
ppc
ppc64
686
ppc64le


2.3 Basic attack modules
The latest version of KmsdBot first uses the fslock library to create exclusive locks after runtime to prevent access conflicts. At the same time, a pid.lock file is generated in the same directory.

Figure 2.1 Exclusive lock flag

The sample is then propagated by pulling an SSH brute force tool called “watchdogs” from the FTP server via curl and tftp commands and invoking it for weak password brute force. Before calling the brute force tool, the Trojan will execute the following commands to increase the upper limit of system file descriptors in preparation for multi-threaded scanning and brute force cracking by the SSH brute force tool.

Figure 2.2 SSH brute force preparation parameters


The watchdogs pulled from the C&C server is an independent brute force module that attempts SSH login by weak password brute force and has a telnet scanning function.

Figure 2.3 SSH scanning brute force module

Figure 2.4 telnet scanning preparation module


Attackers have been maintaining and updating the DDoS attack module for a long time. Compared with earlier samples, multiple flooding attacks based on UDP protocol are added in the latest version. The DDoS attack methods in the latest version are as follows:

Table 2.3 DDoS attack methods

tcp_flood
tcphex_flood
udp_flood
udphex_flood
udpvse_flood
http_flood

2.4 Mining module
KmsdBot can completely control the workflow of mining program, and download, load and update mining program through “main_reloadminer”, “main_startminer” and “main_updateminer” functions.

Figure 2.5 New mining function module

In addition, it is worth noting that the mining program uses the name “watchdog” similar to the daemon of Linux to confuse the victims and adopts the tls protocol to protect the privacy of communication. The parameters for starting the mining process are as follows:

Figure 2.6 Startup parameters of mining module

The wallet address used in the latest version is as follows:

Figure 2.7 Built-in cryptocurrency wallet

2.5 Directional attack module
Unlike the traditional botnet-like family, KmsdBot has built-in modules for directed attacks against FiveM in later versions.

Figure 2.8 Early attack modules against FiveM companies


In the latest version, the above attack modules are integrated and optimized to improve the efficiency and stability of DDoS attacks and launch flooding attacks based on http protocol against FiveM.

Figure 2.9 Attack module against FiveM in the new version


III. Conclusion

Since the KmsdBot botnet family was first discovered at the end of 2022, its versions have been updated frequently and its functions are improving. It has both mining and DDoS functions, as well as targeted attack modules. Recently, the family has started a new round of activity. NSFOCUS Security Labs further organized the resources held by the controllers of this botnet family based on the data accumulated in NSFOCUS’s global threat hunting system and found that the controller behind the KmsdBot can be described as “a big business”. Its attack scope covers Windows and Linux platforms, with multiple self-developed hacker tools including SSH blast and mining. In addition to KmsdBot, the controlled botnet families also have multiple botnet families including Mirai variants. NSFOCUS Security Labs will continuously monitor KmsdBot and its controllers.

IV. IOC

Hash:

718fc249bcd6bc37ad229fb2d8c4037dc8dc8f4555d01934266d1a0c17d676cfELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
542791cf2dde1f449629b03ef95d3c2e0b2f98b1143d619232620d7c9459706cELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, not stripped
1f66675d2102e5d4ac89a239f9022c48b3bf23fe92dadb832d84e0eac6e476d6ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=4CWcVcQDyAfarcRQGM1Y/lXpmxngqUu8dHG25P9LP/7lbFU9sY5RhkJ3GtkYHV/5BsV46yNL398LjDsq7Ez, not stripped
50afbf471a92acd1a0a6a2ffe199a52881eb80f683d95273302506194b2cd6aeELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
b921f0de63ffae2865f5e1dbe8a52a1da505c902e2e4e2a96b85983029d311b5ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go  BuildID=dgDmRqzNrOYIFzUsZGX6/Jd6QBGYU0eXrZjbUCJto/yIwrhleWAjAyjsauMa-2/NdBwoRvNlrhjo4npEm2Z, not stripped
812133033ba969731b66c63d5468556e42048bad396ef1026b5a91dda98bc289ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, not stripped
8d1df3c5357adbab988c62682c85b51582649ff8a3b5c21fca3780fe220e5b11ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOltK/uKypKwO7m2jjT2AT0qnG/PiKIqd334XYNEl_likc3, with debug_info, not stripped
e83a61c538f11e4fc9dd9d0f414a9e74d0d585ffe3302e4d3741be6a3523bd1eELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=CV7cqV3r6hVM05Ma2jpB/kc_FWOhPv8HtKZQUhiUi/jrGTR9lhjVWxp-9kHdDA/ev1S8rMmqqwjpvWz4sLX, with debug_info, not stripped
714eeba5b6e4610946cd07c1ddadddc94052bfe450a8a9b1c23495721082884dELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=S65yXt0R7hEC1YEm5Ci7/qGG-jP6bpvA1TCgQwZoV/WpM491XNek0FReOrQmX_/EMNmhh6mJI8ycZhLPtP4, with debug_info, not stripped
8775bdd7a33f136d31b2840dab68505ac0ab8eaa0bcb58713fae36552b8a1f95ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=GJzVUpDg_KR3vZPPLHON/tJ5p1UP3VMYwQ8w3y3rW/zMKUPgxjCiHGh1jUampI/DJGzVSopd7ujiQ5NZsFY, with debug_info, not stripped
b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=57pm413aVTQ8Go rUjHox/DwlgdSzYxLxitlBpe0OR/hdbtJaHv8ujFruku5AIJ/RrSUbVKsJ9wj-rBopzh3, with debug_info, not stripped
75569874dadb814ce51d121c108ead006b0f39c27057945b649837563f635f51ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=2FTLNIjq7bgMnSOW0NhD/YBc64Ubft703RycI5yQL/85YkVXL_eseyGJG3XHm1/M_laLRa5tNb5oeZ24ROq, with debug_info, not stripped
09761d69bd5b00b2e767a1105dd3e80ce17b795cd817676c737a1e83c5b96f1bPE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
8d1df3c5357adbab988c62682c85b51582649ff8a3b5c21fca3780fe220e5b11ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOltK/uKypKwO7m2jjT2AT0qnG/PiKIqd334XYNEl_likc3, with debug_info, not stripped
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aabELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, stripped
e83a61c538f11e4fc9dd9d0f414a9e74d0d585ffe3302e4d3741be6a3523bd1eELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=CV7cqV3r6hVM05Ma2jpB/kc_FWOhPv8HtKZQUhiUi/jrGTR9lhjVWxp-9kHdDA/ev1S8rMmqqwjpvWz4sLX, with debug_info, not stripped
74075b2bdfaf52d9e5984a28ec7765ae489077a69dd696718e724a455a6f7910ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=lA-om03CG7rmRGVauhlK/_XGLZT-GnUhLmWxz-ZFs/JBg92ZptL6PKCGBNzO4P/PGEQ20SlCSvOvxus2cnT, with debug_info, not stripped
b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=57pm413aVTQ8Go rUjHox/DwlgdSzYxLxitlBpe0OR/hdbtJaHv8ujFruku5AIJ/RrSUbVKsJ9wj-rBopzh3, with debug_info, not stripped
8775bdd7a33f136d31b2840dab68505ac0ab8eaa0bcb58713fae36552b8a1f95ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=GJzVUpDg_KR3vZPPLHON/tJ5p1UP3VMYwQ8w3y3rW/zMKUPgxjCiHGh1jUampI/DJGzVSopd7ujiQ5NZsFY, with debug_info, not stripped
7fe04a3307666e6b6dac381664c901daea3ed5e8af3d7700ac5bde9550350d5aELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=oKopAFKAQrJhoY2b1vrY/AefSWWtAhOPkKPvbNlKA/8Cwl6kF8tPoGxn_ezdos/zCioSGTcw1kuPmWdmaFQ, not stripped
7c8a06b85280a43f96215203fb229d0f2a91b23d84e6ab2d25d9382fef19c35bELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go  BuildID=tUB_stK2lZyPnRmgFU4r/YEUKD-1paNoRgwqyNvoi/AUnj49wjlTtocKdByS53/ApRoq05iUcGRVOrvQRs4, not stripped
da609100cb66e6e4e79916ca1e7481269406e6a484f46187b3accb1626552d61ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go  BuildID=gQd9LGkPSm-S01lKRh1e/hRcs-mU7xbmO2DJ–5BB/NLnc_Fk1iKoeb3KhiKj0/SHwuQu5LFvRyXzxLwnke, not stripped
e5a06b250ba10fe0156efe7399b321cb8b1fc8b1929e49ee62d837fa1440313fELF 64-bit MSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), statically linked, not stripped
2971a37849388c7c3af0840eabc52f0b604fb9894429b7397100b12a069cfeffELF 64-bit MSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), statically linked, not stripped
718fc249bcd6bc37ad229fb2d8c4037dc8dc8f4555d01934266d1a0c17d676cfELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
542791cf2dde1f449629b03ef95d3c2e0b2f98b1143d619232620d7c9459706cELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, not stripped
1f66675d2102e5d4ac89a239f9022c48b3bf23fe92dadb832d84e0eac6e476d6ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=4CWcVcQDyAfarcRQGM1Y/lXpmxngqUu8dHG25P9LP/7lbFU9sY5RhkJ3GtkYHV/5BsV46yNL398LjDsq7Ez, not stripped
50afbf471a92acd1a0a6a2ffe199a52881eb80f683d95273302506194b2cd6aeELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
b921f0de63ffae2865f5e1dbe8a52a1da505c902e2e4e2a96b85983029d311b5ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go  BuildID=dgDmRqzNrOYIFzUsZGX6/Jd6QBGYU0eXrZjbUCJto/yIwrhleWAjAyjsauMa-2/NdBwoRvNlrhjo4npEm2Z, not stripped
812133033ba969731b66c63d5468556e42048bad396ef1026b5a91dda98bc289ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go  BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOlt

Currency Wallet:

43uCW7AgcgNcKj3MTBKVhy16iRqby1ithKpZyMzUdUGw1vyyqfn9Q5JU1RJ6ztS8C4AxxAKNM4Z4zARBRt2aRoQqFAKpgd6
4AK7DLTqTa7jM8mr5v2mBdRD4WojZJc8XfM8h4BEy177ChHWpgv4uEwfm3ktRwrEjx6r5EBH3eAoAKcw9x1KKCok9k5zK6d
44S7rRMq1wA1Ma9PdGkCBe52MN2bRVphfKAVVhSrSVxQXywRMFgWnB36ofhfUkKa1cBYqLh47SobKcHFVeT4TLeVAfGh2dN
43YuNypyDwXSVY2nrD9765iakoG5CzhrZMnEpDPnL8Wu5iBeg4Ekx6D1cXTDQBssDoQ3Hn6mtiggNVGSmwfAnUB28oy3fuD
45yK4gR5QCNag2X4g6ss6PUiL4s1e929b8mev4Rz3CbiTPU9NSXYHiyPL9FMi6cDVvD7EKho4atUf82s3vkVfFXNSsMqyUE
42vGrE1WDpKgue8Y9ewpi6gXupMqDqYiKV4EwM7CFZFuNdRKP3dG6rADE7DRAcoEWGY6LmgCRKAiX16wGAu3Tj4mMQ9HR5B
43YuNypyDwXSVY2nrD9765iakoG5CzhrZMnEpDPnL8Wu5iBeg4Ekx6D1cXTDQBssDoQ3Hn6mtiggNVGSmwfAnUB28oy3fuD
43uCW7AgcgNcKj3MTBKVhy16iRqby1ithKpZyMzUdUGw1vyyqfn9Q5JU1RJ6ztS8C4AxxAKNM4Z4zARBRt2aRoQqFAKpgd6
44S7rRMq1wA1Ma9PdGkCBe52MN2bRVphfKAVVhSrSVxQXywRMFgWnB36ofhfUkKa1cBYqLh47SobKcHFVeT4TLeVAfGh2dN
4AK7DLTqTa7jM8mr5v2mBdRD4WojZJc8XfM8h4BEy177ChHWpgv4uEwfm3ktRwrEjx6r5EBH3eAoAKcw9x1KKCok9k5zK6d
42WDUXX5UYtNf9DyboNRx6TgNrJD43QfgTvEjh8djtdKVoNppnN96Nz8sVp2wWJTQgW9e8XjFLkv6KpSEgwWbLXLMKn5wwg
46DBehyheMSatgdGffv8SVAEK8ts6Ur4wToVNL99Yqo6ZGnv7q4QpaxG7YnaasngPvN1rbyxYyCZAABgyXyme92wRMaVn1V
45yK4gR5QCNag2X4g6ss6PUiL4s1e929b8mev4Rz3CbiTPU9NSXYHiyPL9FMi6cDVvD7EKho4atUf82s3vkVfFXNSsMqyUE
42vGrE1WDpKgue8Y9ewpi6gXupMqDqYiKV4EwM7CFZFuNdRKP3dG6rADE7DRAcoEWGY6LmgCRKAiX16wGAu3Tj4mMQ9HR5B