I. Overview
NSFOCUS Security Labs recently detected that a new botnet family KmsdBot, which combines DDoS and mining functions, has become active again. Attackers continue to replace C&C infrastructure and update Trojan versions. Compared with the traditional botnet-like family, KmsdBot adopts a brand-new architecture and is developed in the Go programming language. The simplicity, high efficiency and good cross-platform of Go greatly reduce the development cost of malicious code. At the same time, the native characteristics of Go language cause great annoyance to analysts.
The family first came to people’s attention in September 2022, when the sample functions were imperfect and the attack module was not mature enough. It gets its name because the initial loader is called “kmsd.exe”. In October of that year, KmsdBot attacked the servers of game company FiveM. The family started adding DDoS modules in version 2 and has been updated to version 4. The DDoS attack module is more complete, and the code is optimized simultaneously, improving the program’s stability and gradually fixing the code style.
The family is highly targeted in attack target selection, focusing on the gaming and high-end automobile manufacturing industries. It also has customized modules for attacks against FiveM. It is also worth noting that the C&C addresses of this family are concentrated in Western Europe and North America, which are significantly less active in Russia than in other countries and regions.
II. Sample Analysis
2.1 Version change
Table 2.1 Evolution of KmsdBot samples
| REV. | TIME | SIGNATURES | C&C |
| v1 | Aug 14, 2022 | The sample size is about half of version 4; no exclusive file-lock is set; there are only two currency wallet addresses; less judgment on the number of CPU cores of the target host; only mining-related functions, without DDoS function. | 109.206.241.112:51382 |
| v2 | Sept. 4, 2022 | DDoS module and attack module for fiveM company are added to the sample; exclusive file-lock is added; mining module named ksmdr is added; a large number of duplicate function modules with repeated names appear, which are suspected to be used in tests. | 109.206.241.112:51383 |
| v3 | Oct 27, 2022 | There are many duplicate names in the function list. Functions disappear and become more concise. | 171.22.30.31:57388 |
| v4 | May 14, 2023 | There are two new functions for setting request header and reconnection in response to fiveM company attack, and the function for the token setting of fiveM company is deleted. The program is simplified and the stability is improved. | 107.189.6.203:62652 |
2.2 Affected platform
KmsdBot is developed in the Go language and spread by means of SSH brute force attack. The latest version has been adapted to the following platforms:
Table 2.2 Architecture supported by latest sample
| x86_64 |
| 386 |
| amd64 |
| mips |
| mips64 |
| mipsle |
| mips64le |
| s390x |
| ppc |
| ppc64 |
| 686 |
| ppc64le |
2.3 Basic attack modules
The latest version of KmsdBot first uses the fslock library to create exclusive locks after runtime to prevent access conflicts. At the same time, a pid.lock file is generated in the same directory.
The sample is then propagated by pulling an SSH brute force tool called “watchdogs” from the FTP server via curl and tftp commands and invoking it for weak password brute force. Before calling the brute force tool, the Trojan will execute the following commands to increase the upper limit of system file descriptors in preparation for multi-threaded scanning and brute force cracking by the SSH brute force tool.
The watchdogs pulled from the C&C server is an independent brute force module that attempts SSH login by weak password brute force and has a telnet scanning function.
Attackers have been maintaining and updating the DDoS attack module for a long time. Compared with earlier samples, multiple flooding attacks based on UDP protocol are added in the latest version. The DDoS attack methods in the latest version are as follows:
Table 2.3 DDoS attack methods
| tcp_flood |
| tcphex_flood |
| udp_flood |
| udphex_flood |
| udpvse_flood |
| http_flood |
2.4 Mining module
KmsdBot can completely control the workflow of mining program, and download, load and update mining program through “main_reloadminer”, “main_startminer” and “main_updateminer” functions.
In addition, it is worth noting that the mining program uses the name “watchdog” similar to the daemon of Linux to confuse the victims and adopts the tls protocol to protect the privacy of communication. The parameters for starting the mining process are as follows:
The wallet address used in the latest version is as follows:
2.5 Directional attack module
Unlike the traditional botnet-like family, KmsdBot has built-in modules for directed attacks against FiveM in later versions.
In the latest version, the above attack modules are integrated and optimized to improve the efficiency and stability of DDoS attacks and launch flooding attacks based on http protocol against FiveM.
III. Conclusion
Since the KmsdBot botnet family was first discovered at the end of 2022, its versions have been updated frequently and its functions are improving. It has both mining and DDoS functions, as well as targeted attack modules. Recently, the family has started a new round of activity. NSFOCUS Security Labs further organized the resources held by the controllers of this botnet family based on the data accumulated in NSFOCUS’s global threat hunting system and found that the controller behind the KmsdBot can be described as “a big business”. Its attack scope covers Windows and Linux platforms, with multiple self-developed hacker tools including SSH blast and mining. In addition to KmsdBot, the controlled botnet families also have multiple botnet families including Mirai variants. NSFOCUS Security Labs will continuously monitor KmsdBot and its controllers.
IV. IOC
Hash:
| 718fc249bcd6bc37ad229fb2d8c4037dc8dc8f4555d01934266d1a0c17d676cf | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped |
| 542791cf2dde1f449629b03ef95d3c2e0b2f98b1143d619232620d7c9459706c | ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, not stripped |
| 1f66675d2102e5d4ac89a239f9022c48b3bf23fe92dadb832d84e0eac6e476d6 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=4CWcVcQDyAfarcRQGM1Y/lXpmxngqUu8dHG25P9LP/7lbFU9sY5RhkJ3GtkYHV/5BsV46yNL398LjDsq7Ez, not stripped |
| 50afbf471a92acd1a0a6a2ffe199a52881eb80f683d95273302506194b2cd6ae | ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped |
| b921f0de63ffae2865f5e1dbe8a52a1da505c902e2e4e2a96b85983029d311b5 | ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go BuildID=dgDmRqzNrOYIFzUsZGX6/Jd6QBGYU0eXrZjbUCJto/yIwrhleWAjAyjsauMa-2/NdBwoRvNlrhjo4npEm2Z, not stripped |
| 812133033ba969731b66c63d5468556e42048bad396ef1026b5a91dda98bc289 | ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, not stripped |
| 8d1df3c5357adbab988c62682c85b51582649ff8a3b5c21fca3780fe220e5b11 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOltK/uKypKwO7m2jjT2AT0qnG/PiKIqd334XYNEl_likc3, with debug_info, not stripped |
| e83a61c538f11e4fc9dd9d0f414a9e74d0d585ffe3302e4d3741be6a3523bd1e | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=CV7cqV3r6hVM05Ma2jpB/kc_FWOhPv8HtKZQUhiUi/jrGTR9lhjVWxp-9kHdDA/ev1S8rMmqqwjpvWz4sLX, with debug_info, not stripped |
| 714eeba5b6e4610946cd07c1ddadddc94052bfe450a8a9b1c23495721082884d | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=S65yXt0R7hEC1YEm5Ci7/qGG-jP6bpvA1TCgQwZoV/WpM491XNek0FReOrQmX_/EMNmhh6mJI8ycZhLPtP4, with debug_info, not stripped |
| 8775bdd7a33f136d31b2840dab68505ac0ab8eaa0bcb58713fae36552b8a1f95 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=GJzVUpDg_KR3vZPPLHON/tJ5p1UP3VMYwQ8w3y3rW/zMKUPgxjCiHGh1jUampI/DJGzVSopd7ujiQ5NZsFY, with debug_info, not stripped |
| b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=57pm413aVTQ8Go rUjHox/DwlgdSzYxLxitlBpe0OR/hdbtJaHv8ujFruku5AIJ/RrSUbVKsJ9wj-rBopzh3, with debug_info, not stripped |
| 75569874dadb814ce51d121c108ead006b0f39c27057945b649837563f635f51 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=2FTLNIjq7bgMnSOW0NhD/YBc64Ubft703RycI5yQL/85YkVXL_eseyGJG3XHm1/M_laLRa5tNb5oeZ24ROq, with debug_info, not stripped |
| 09761d69bd5b00b2e767a1105dd3e80ce17b795cd817676c737a1e83c5b96f1b | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows |
| 8d1df3c5357adbab988c62682c85b51582649ff8a3b5c21fca3780fe220e5b11 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOltK/uKypKwO7m2jjT2AT0qnG/PiKIqd334XYNEl_likc3, with debug_info, not stripped |
| 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab | ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, stripped |
| e83a61c538f11e4fc9dd9d0f414a9e74d0d585ffe3302e4d3741be6a3523bd1e | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=CV7cqV3r6hVM05Ma2jpB/kc_FWOhPv8HtKZQUhiUi/jrGTR9lhjVWxp-9kHdDA/ev1S8rMmqqwjpvWz4sLX, with debug_info, not stripped |
| 74075b2bdfaf52d9e5984a28ec7765ae489077a69dd696718e724a455a6f7910 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=lA-om03CG7rmRGVauhlK/_XGLZT-GnUhLmWxz-ZFs/JBg92ZptL6PKCGBNzO4P/PGEQ20SlCSvOvxus2cnT, with debug_info, not stripped |
| b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=57pm413aVTQ8Go rUjHox/DwlgdSzYxLxitlBpe0OR/hdbtJaHv8ujFruku5AIJ/RrSUbVKsJ9wj-rBopzh3, with debug_info, not stripped |
| 8775bdd7a33f136d31b2840dab68505ac0ab8eaa0bcb58713fae36552b8a1f95 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=GJzVUpDg_KR3vZPPLHON/tJ5p1UP3VMYwQ8w3y3rW/zMKUPgxjCiHGh1jUampI/DJGzVSopd7ujiQ5NZsFY, with debug_info, not stripped |
| 7fe04a3307666e6b6dac381664c901daea3ed5e8af3d7700ac5bde9550350d5a | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=oKopAFKAQrJhoY2b1vrY/AefSWWtAhOPkKPvbNlKA/8Cwl6kF8tPoGxn_ezdos/zCioSGTcw1kuPmWdmaFQ, not stripped |
| 7c8a06b85280a43f96215203fb229d0f2a91b23d84e6ab2d25d9382fef19c35b | ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=tUB_stK2lZyPnRmgFU4r/YEUKD-1paNoRgwqyNvoi/AUnj49wjlTtocKdByS53/ApRoq05iUcGRVOrvQRs4, not stripped |
| da609100cb66e6e4e79916ca1e7481269406e6a484f46187b3accb1626552d61 | ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go BuildID=gQd9LGkPSm-S01lKRh1e/hRcs-mU7xbmO2DJ–5BB/NLnc_Fk1iKoeb3KhiKj0/SHwuQu5LFvRyXzxLwnke, not stripped |
| e5a06b250ba10fe0156efe7399b321cb8b1fc8b1929e49ee62d837fa1440313f | ELF 64-bit MSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), statically linked, not stripped |
| 2971a37849388c7c3af0840eabc52f0b604fb9894429b7397100b12a069cfeff | ELF 64-bit MSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), statically linked, not stripped |
| 718fc249bcd6bc37ad229fb2d8c4037dc8dc8f4555d01934266d1a0c17d676cf | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped |
| 542791cf2dde1f449629b03ef95d3c2e0b2f98b1143d619232620d7c9459706c | ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, not stripped |
| 1f66675d2102e5d4ac89a239f9022c48b3bf23fe92dadb832d84e0eac6e476d6 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=4CWcVcQDyAfarcRQGM1Y/lXpmxngqUu8dHG25P9LP/7lbFU9sY5RhkJ3GtkYHV/5BsV46yNL398LjDsq7Ez, not stripped |
| 50afbf471a92acd1a0a6a2ffe199a52881eb80f683d95273302506194b2cd6ae | ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped |
| b921f0de63ffae2865f5e1dbe8a52a1da505c902e2e4e2a96b85983029d311b5 | ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go BuildID=dgDmRqzNrOYIFzUsZGX6/Jd6QBGYU0eXrZjbUCJto/yIwrhleWAjAyjsauMa-2/NdBwoRvNlrhjo4npEm2Z, not stripped |
| 812133033ba969731b66c63d5468556e42048bad396ef1026b5a91dda98bc289 | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=lmjZVXbGVxjEutEAYziK/ak2EoKWzPPmCz2ipOlt |
Currency Wallet:
| 43uCW7AgcgNcKj3MTBKVhy16iRqby1ithKpZyMzUdUGw1vyyqfn9Q5JU1RJ6ztS8C4AxxAKNM4Z4zARBRt2aRoQqFAKpgd6 |
| 4AK7DLTqTa7jM8mr5v2mBdRD4WojZJc8XfM8h4BEy177ChHWpgv4uEwfm3ktRwrEjx6r5EBH3eAoAKcw9x1KKCok9k5zK6d |
| 44S7rRMq1wA1Ma9PdGkCBe52MN2bRVphfKAVVhSrSVxQXywRMFgWnB36ofhfUkKa1cBYqLh47SobKcHFVeT4TLeVAfGh2dN |
| 43YuNypyDwXSVY2nrD9765iakoG5CzhrZMnEpDPnL8Wu5iBeg4Ekx6D1cXTDQBssDoQ3Hn6mtiggNVGSmwfAnUB28oy3fuD |
| 45yK4gR5QCNag2X4g6ss6PUiL4s1e929b8mev4Rz3CbiTPU9NSXYHiyPL9FMi6cDVvD7EKho4atUf82s3vkVfFXNSsMqyUE |
| 42vGrE1WDpKgue8Y9ewpi6gXupMqDqYiKV4EwM7CFZFuNdRKP3dG6rADE7DRAcoEWGY6LmgCRKAiX16wGAu3Tj4mMQ9HR5B |
| 43YuNypyDwXSVY2nrD9765iakoG5CzhrZMnEpDPnL8Wu5iBeg4Ekx6D1cXTDQBssDoQ3Hn6mtiggNVGSmwfAnUB28oy3fuD |
| 43uCW7AgcgNcKj3MTBKVhy16iRqby1ithKpZyMzUdUGw1vyyqfn9Q5JU1RJ6ztS8C4AxxAKNM4Z4zARBRt2aRoQqFAKpgd6 |
| 44S7rRMq1wA1Ma9PdGkCBe52MN2bRVphfKAVVhSrSVxQXywRMFgWnB36ofhfUkKa1cBYqLh47SobKcHFVeT4TLeVAfGh2dN |
| 4AK7DLTqTa7jM8mr5v2mBdRD4WojZJc8XfM8h4BEy177ChHWpgv4uEwfm3ktRwrEjx6r5EBH3eAoAKcw9x1KKCok9k5zK6d |
| 42WDUXX5UYtNf9DyboNRx6TgNrJD43QfgTvEjh8djtdKVoNppnN96Nz8sVp2wWJTQgW9e8XjFLkv6KpSEgwWbLXLMKn5wwg |
| 46DBehyheMSatgdGffv8SVAEK8ts6Ur4wToVNL99Yqo6ZGnv7q4QpaxG7YnaasngPvN1rbyxYyCZAABgyXyme92wRMaVn1V |
| 45yK4gR5QCNag2X4g6ss6PUiL4s1e929b8mev4Rz3CbiTPU9NSXYHiyPL9FMi6cDVvD7EKho4atUf82s3vkVfFXNSsMqyUE |
| 42vGrE1WDpKgue8Y9ewpi6gXupMqDqYiKV4EwM7CFZFuNdRKP3dG6rADE7DRAcoEWGY6LmgCRKAiX16wGAu3Tj4mMQ9HR5B |
