CyberWire Daily - Another infection with new malware. [Research Saturday]
Episode Date: November 19, 2022Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Resea...rch team has found a new malware that infected their honeypot, which they have dubbed KmsdBot. The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection. The research can be found here: KmsdBot: The Attack and Mine Malware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts,
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
I recently had downloaded a honeypot that was written in Golang,
and it was immediately getting hits after, I'd say, 15 or 20 minutes of being up.
But I noticed an automated scan came in, and it tried to download some malware to my system.
That's Larry Kaschdaller,
Principal Security Intelligence Response Engineer at Akamai.
The research we're discussing today
is titled KMSD Bot,
the Attack and Mine Malware.
And normally the hits are just, you know, SSH scanners and folks just looking to drop an XM rig on there and do some mining.
But I noticed an automated scan came in and it tried to download some malware to my system.
I'm like, oh, that's interesting.
You know, the honeypot didn't download the malware
because it's just not working properly yet.
So I manually downloaded it
and realized it was written in Go.
And I'm like, oh, neat, a piece of Go malware.
Even more for you to continue your education in Golang, right?
I've been working on learning how to reverse
engineer malware
or Golang malware.
And I'm like, oh, so this will be something I can
sink my teeth into.
So I started digging into it, and I'm like, okay,
this is actually kind of interesting.
And then
I started a document, like, just to
sort of take notes and write stuff up.
And then where I live in Florida, we got hit with a hurricane.
So that kind of delayed my research for about two weeks.
And then I got sick.
So that delayed my research another week and a half.
Insult to injury, right?
It's just the real world interfering withult to injury, right? This is the real world, the real world interfering with the
technical world, right? Yeah. And I, you know, I likely, I'm guessing I had COVID, but I never
tested positive, even though I kept testing and I was pretty sick for a couple of days with a fever.
But I just assumed it was COVID and just stayed in my room. And my family's staying on the other
side of the house.
After I started feeling better, I'm like,
I'm going to go back to that botnet that I found and start poking at it some more.
One night during a bout of insomnia,
I ended up in my office and decided I was going to poke at it.
I started digging into the malware,
looking at the functions and disassembling functions and looking at the code.
And I realized this thing looks like it has a pretty simple command and control structure where it sends a simple OX2,
where it starts off with a null byte.
It sends to the command and control server.
The command and control server sends back a hexadecimal one,
and then the response is a hexadecimal two.
And I'm like, okay, I'm going to sit and write a Golang program
to emulate this malware to see if I can talk to the C2.
And then this is 3.30 in the morning.
And so then I managed to get this little piece of software
to talk to this command and control server,
and it's sending a heartbeat with the OX01, OX02 back and forth.
Every second or so I'm getting a response.
I'm like, okay, neat, I'm talking to C2.
And then I see an attack command come in.
And I'm like, wait, attack commands are just in clear text?
So I'm like, well, this is even neater.
So then I started, I wrote this little tool to log the attack commands,
and then I actually detonated the botnet in my lab on a network
where the outbound traffic is heavily throttled.
It only can get, I think, 32 kilobits per second out.
So if there's any attacks, it doesn't, it's damage is limited.
So I had it running there and was watching it for a couple of days.
And then I saw that they actually had revised the malware and had another version of it that had more functions in it,
and it actually had a new command and control server.
So I'm like, okay, I'm just going to monitor this malware for a while
and then take notes and write it up.
And I'm expecting to have two more blog posts on this malware after this.
So there's a lot more to be told about it.
So it's up-and-coming research.
Yeah.
Well, let's go through the things that you've discovered together here.
I mean, starting out with just sort of some high-level stuff,
what is the goal of these folks?
What does it seem to you as though they're after?
So in my research and in my mind and my observations,
the malware seems to be specific to the gaming, well, initially it looked
specific to the gaming industry. It looked like it was specifically
targeted in third-party GTA hosting
servers. So for folks who aren't gamers, I'm not
a gamer, I had to ask my 13-year-old son Max,
there's a company called 5M that they host GTA servers on their network where you can actually run a GTA Grand Theft Auto server and have your friends connect to it and play on your own server.
So it looked like it was specifically written to target those servers because there were actual functions in the code that said
attack 5M and the packets that were being sent had authentication tokens specific to
the 5M protocol for their system.
So what it looked like to me was it was something to send a packet to initiate either authentication
or a session and then just
overwhelm the server and try and take it offline by just repeatedly saying, I'm going to start a
session with you and then just never respond. The malware also has the ability to mine crypto,
which it has functions to actually start and stop a crypto miner. It has functions to load different random wallets that
are in a list. And then I actually haven't seen it do any crypto mining yet in my observations of it.
It's mostly used for DDoS. But I figured that the people who wrote this initially, I think,
wanted something that they could use to take down certain gaming servers and then mine crypto when
in the interim but this botnet can also be used to target arbitrary uh folks so it you know you
can send a command to have it attack anything not just 5m which i'll you know we'll get to
some of the other targets that SysTink branches out.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So in terms of the DDoSing,
we hear about rivalries among different folks in the gaming world.
Does it seem like that's what this is,
like a nuisance kind of thing where you're going to take down the folks who you have a bit of a beef with and take down their server?
That's what I initially thought. I initially thought that these were fellow gamers that developed this, and they were using it to specifically target gaming sites.
Now, what changed my mind was that they actually started targeting universities and they started targeting high-end
automobile manufacturers of like the highest end. And then they started targeting churches in
Germany and then government websites in Brazil. So then I realized that it wasn't just a bunch of,
you know, gaming kids that were targeting gaming sites. This might be an actual
botnet that either someone is renting out for a fee, you can target a specific site for X amount
of time, for X amount of money, or it was being lent out to other folks who could say, hey, I want
to target this site for 60 seconds with a UDP attack. So
something else was going on there because of the erraticness of the targets. So we're still
monitoring the targets. It's actually been relatively quiet right now, but I'm sure it'll
spin back up. And in terms of the sophistication that you think we're dealing with here, I mean,
you mentioned that this is written in Golang,
which is, my sense is becoming more and more popular.
Can you speak to why that is?
Why are folks choosing that particular development language?
I think Golang offers a lot of functionality
and it's relatively robust language
that I think malware authors are leaning towards
because it's got a lot of built-in
functions that you might have to implement yourself in other programming languages.
And I think because of the way the Golang binaries are built, they're statically compiled. So you get
a 10, 15 megabyte compiled binary versus a 40, 50 kilobyte compiled binary that's in C,
I think the malware authors are realizing
that it's harder to reverse engineer Golang
because it's more of a ball of spaghetti, really,
is what the Golang binaries are.
And the way Golang binaries organize their strings,
the strings aren't just kept in the binary in certain
areas. It's like one ball. And that ball is indexed and carved up to get the string that you want out
of that section of the binary and then used in the program. So it's more tedious for reverse
engineers, I think, to edit or to not edit, but to reverse engineer a Golang binary. So I think that's why the authors are leaning towards it.
So in terms of defending yourself against this, what are your recommendations?
I recommend that if folks have systems that are internet facing,
they should either disable password authentication and only allow SSH key authentication,
or they should ensure that their passwords are secure. Because this thing has a list of passwords that it can download and
update from itself or from the command and control server. They have a list of passwords that can be
dynamically updated, and they try those passwords over SSH at unsuspecting systems on the network, on the internet.
If you don't allow password authentication, there's no way they can get in through that method.
Now, whether they make any adjustments on how they infect systems is yet to be seen, but that's their primary infection vector is weak SSH login credentials.
To what degree are they attempting to be stealthy here?
Are they making a lot of noise or trying to sneak around in the shadows?
At this time, it seems like they're not being very stealthy.
The command and control IP address is one of the,
it's in the top list for malicious IP addresses that we've noticed
this last two weeks.
And it seems like the malware itself doesn't try to keep persistence.
It doesn't try to add itself to Cron.
It doesn't try to do anything like that.
And it just generally will run as whatever it's logged in as.
So at this time, it seems like it's an initial implementation of the botnet, and it's
not really trying anything too stealthy yet. I'm curious, just as a little aside here,
could you give us a little bit of your insights when it comes to spinning up honeypots themselves?
I mean, what sorts of things do you do as a researcher to make them most effective?
of things do you do as a researcher to make them most effective? I try to make them look as real as a legitimate system as possible. And in some cases, I've actually used legitimate systems as
Honeypot, where I've actually taken like an SSH Docker and modify the SSH daemon on it to log
the session to disk rather than, you know, actually use an SSH honeypot. This was actually
just a Docker image that was running with a backdoored SSH daemon. So that's some of the
stuff that I'll do as a researcher to try and, you know, get the bad actors to think that the
system is a legit system when it's actually me monitoring their actions. And where do we stand in that arms race in terms of the bad actors being able to detect honeypots
and, you know, folks like yourselves trying to make them look as real as possible?
I feel like we're always neck and neck, you know, it's cat and mouse, you know, they think of
something and then, you know, we think of something and then, you know, one of us outdoes the other one
and then the other person catches up and it just seems to go back and forth.
Some of the more popular honeypots out there like Cowrie are easily fingerprinted,
so they're effective in getting some traffic but not all traffic.
So it's really been a challenge to sort of just keep up with everything.
You mentioned that this is the first step of some continuing research you're going to do with this
particular bot. What does the future hold here? What sort of things are you going to take a look
at next? I'm going to investigate the actual attack commands and the attack traffic in one
of the blog posts. And then we're going to examine a misstep that the bot authors took
when they were attacking a site.
And I'll go into that when I actually write the blog post,
but it's actually an interesting story.
Our thanks to Larry Cashdaller from Akamai for joining us. The research is titled KMSD Bot, the Attack and Mine Malware.
We'll have a link in the show notes. Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and Thank you. Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash,
Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Maria Vermatzis, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie,
Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you
back here next week.