CyberWire Daily - Encore: Another infection with new malware. [Research Saturday]
Episode Date: November 25, 2023Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Resea...rch team has found a new malware that infected their honeypot, which they have dubbed KmsdBot. The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection. The research can be found here: KmsdBot: The Attack and Mine Malware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
I recently had downloaded a honeypot that was written in Golang, and it was immediately getting
hits after, I'd say, 15 or 20 minutes of being up.
But I noticed an automated scan came in, and it tried to download some malware to my system.
That's Larry Kaschnaller, Principal Security Intelligence Response Engineer at Akamai.
The research we're discussing today is titled KMSD Bot, the Attack and Mine Malware.
And normally the hits are just, you know, SSH scanners and folks just looking to drop a XM rig on there and do some mining. But I noticed an automated
scan came in and it tried to download
some malware to my system. I'm like, yeah, that's interesting.
The honeypot didn't download the malware because it's just not
working properly yet. So I manually downloaded it and realized
it was written in Go. And I'm like, oh, neat, a piece of Go malware.
Even more for you to continue your education in Golang, right?
I've been working on learning how to reverse engineer malware or Golang malware.
And I'm like, oh, so this will be something I can sink my teeth into.
So I started digging into it, and I'm like, okay, so this will be something I can sink my teeth into. So I started digging into it and I'm like, okay, this is actually kind of interesting.
And then I started a document
just to sort of take notes and write stuff up. And then
where I live in Florida, we got hit with a hurricane.
So that kind of delayed my research for
about two weeks. And then I got sick.
That delayed my research another week and a half.
Insult to injury, right?
This is the real world interfering with the technical world, right?
Yeah.
I'm guessing I had COVID, but I never tested positive, even though I kept testing and I was pretty sick for a couple of days with a fever.
But I just assumed it was COVID and just stayed in my room.
And my family stayed on the other side of the house.
But after I started feeling better, I'm like, you know, I'm going to go back to that botnet that I found and start poking at it some more.
botnet that I found and start poking at it some more. And one night during a bout of insomnia,
I ended up in my office and decided I was going to poke at it. And I started digging into the malware, looking at the functions and disassembling functions and looking at the code. And I realized
this thing looks like it has a pretty simple command and control structure where it sends a simple um ox2 or it starts off with an with a null byte it sends to the command and control
server the command and control server sends back a hexadecimal one and then uh the response is
hexadecimal two and i'm like okay i'm gonna to sit and write a Golang program to emulate this malware to see if I can talk to the C2.
And then this is 3.30 in the morning.
And so then I managed to get this little piece of software to talk to this command and control server.
And it's sending a heartbeat with the OX01, OX02 back and forth.
Every second or so, I'm getting a response.
I'm like, okay, neat, I'm talking to C2.
And then I see an attack command come in.
And I'm like, wait, attack commands are just in clear text?
So I'm like, well, this is even neater.
So then I wrote this little tool to log the attack commands,
and then I actually detonated the botnet in my lab on a network
where the outbound traffic is heavily throttled.
It only can get, I think, 32 kilobits per second out.
So if there's any attacks, its damage is limited.
So I had it running there and was watching it for a couple of days.
And then I saw that they actually had revised the malware and had another version of it that had more functions in it.
And it actually had a new command and control server.
So I'm like, okay, I'm just going to monitor this malware for a while and then take notes and write it up.
And I'm expecting to have two more blog posts on this malware after this.
So there's a lot more to be told about it.
So it's up-and-coming research.
Yeah.
Well, let's go through the things that you've discovered together here.
I mean, starting out with just sort of some high-level stuff, what is the goal of these folks?
What does it seem to you as though they're after?
So in my research and in my mind and my observations, the malware seems to be specific to the gaming.
Well, initially it looked specific to the gaming industry.
It looked like it was specifically targeted in third-party GTA hosting servers.
So for folks who aren't gamers, I'm not a gamer, I had to ask my 13-year-old son, Max,
that there's a company called 5M that they host GTA servers on their network
where you can actually run a GTA Grand Theft Auto server
and have your friends connect to it and play on your own server.
So it looked like it was specifically written to target those servers
because there were actual functions in the code that said attack 5M.
And the packets that were being sent had authentication tokens
specific to the 5M protocol for their system.
So what it looked like to me was it was something to send a packet to initiate either authentication or a session
and then just overwhelm the server and try and take it offline by just repeatedly saying,
I'm going to start a session with you and then just never respond.
saying, I'm going to start a session with you and then just never respond.
The malware also has the ability to mine crypto, which it has functions to actually start and stop a crypto miner.
It has functions to load different random wallets that are in a list.
And then I actually haven't seen it do any crypto mining yet in my observations of it.
It's mostly when used for DDoS. But I
figured that the people who wrote this initially, I think, wanted something that they could use to
take down certain gaming servers and then mine crypto in the interim. But this botnet can also
be used to target arbitrary folks. So you can send a command to have it attack anything, not just 5M,
which we'll get to some of the other targets as this thing branches out.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever
with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI
stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying every request based on
identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So, in terms of the DDoSing, we hear about rivalries among different folks in the gaming world.
Does it seem like that's what this is, like a nuisance kind of thing where you're going to take down the folks who you have a bit of a beef with and take down their server?
That's what I initially thought.
I initially thought that these were fellow gamers that developed this
and they were using it to specifically target gaming sites.
Now, what changed my mind was that they actually started targeting universities
and they started targeting high-end automobile manufacturers of the highest end.
And then they started targeting churches in Germany
and then government websites in Brazil.
So then I realized that it wasn't just a bunch of gaming kids
that were targeting gaming sites.
This might be an actual botnet that either someone is renting out for a fee.
You can target a specific site for X amount of time for X amount of money,
or it was being lent out to other folks who could say, hey, I want to target this site for
60 seconds with a UDP attack. So it's something else was going on there because of the erraticness
of the targets. So we're still monitoring the targets. It's actually been
relatively quiet right now, but I'm sure it'll spin back up.
And in terms of the sophistication that you think we're dealing with here, I mean, you
mentioned that this is written in Golang, which is, my sense is becoming more and more popular.
Can you speak to why that is? Why are folks choosing that particular development language?
Can you speak to why that is? Why are folks choosing that particular development language? I think Golang offers a lot of functionality and it's relatively robust language that I think malware authors are leaning towards because it's got a lot of built-in functions that you might have to implement yourself in other programming languages. And I think because of the way the Golang binaries are
built, they're statically compiled. So you get a 10, 15 megabyte compiled binary versus a, you know,
40, 50 kilobyte compiled binary that's in C. I think the malware authors are realizing that
it's harder to reverse engineer Golang because it's more of a ball of spaghetti, really,
is what the Golang binaries are.
And the way Golang binaries organize their strings,
the strings aren't just kept in the binary in certain areas.
It's like one ball.
And that ball is indexed and carved up
to get the string that you want out of that section of the binary
and then use in the program.
So it's more tedious for reverse engineers, I think, to edit or to not edit,
but to reverse engineer a Golang binary.
So I think that's why the authors are leaning towards it.
So in terms of defending yourself against this, what are your recommendations?
I recommend that if folks have systems that are
internet-facing, they should either disable password
authentication and only allow SSH key authentication,
or they should ensure that their passwords are secure.
Because this thing has a list of passwords that it can download and
update from itself or from the command and control server.
They have a list of passwords that can be dynamically updated.
And they try those passwords over SSH at unsuspecting systems on the network, on the internet.
And if you don't allow password authentication, there's no way they can get in through that method.
So password authentication, there's no way they can get in through that method.
Now, whether they make any adjustments on how they infect systems is yet to be seen,
but that's their primary infection vector is weak SSH login credentials.
And to what degree are they attempting to be stealthy here?
Are they making a lot of noise or trying to sneak around in the shadows?
At this time, it seems like they're not being very stealthy.
The command and control IP address is one of the,
it's in the top list for malicious IP addresses that we've noticed this last two weeks.
And it seems like the malware itself
doesn't try to keep persistence.
It doesn't try to add itself to Cron. It doesn't try to add itself to Cron.
It doesn't try to do anything like that.
And it just generally will run as whatever it's logged in as.
So at this time, it seems like it's an initial implementation of the botnet,
and it's not really trying anything too stealthy yet.
I'm curious, just as a little aside here,
could you give us a little bit of your insights
when it comes to spinning up honeypots themselves? I mean, what sorts of things do you do as a
researcher to make them most effective? I try to make them look as real as a legitimate system as
possible. And in some cases, I've actually used legitimate systems as a honeypot, where I've actually taken like an SSH docker and modify the SSH daemon on it to log the session to disk, rather than, you know, actually use an SSH honeypot.
This was actually just a docker image that was running with a backdoored SSH daemon. So that's some of the stuff that I'll do as a researcher to
try and, you know, get the bad actors to think that the system is a legit system when it's actually
me monitoring their actions. And where do we stand in that arms race in terms of the bad actors being
able to detect honeypots and, you know, folks like yourselves trying to make them look as real as possible? I feel like we're always neck and neck, you know, it's, it's cat and mouse, you know,
they, they think of something and then, you know, we think of something and then, you know, one of
us outdoes the other one and then, you know, the other person catches up and it just seems to go
back and forth. You know, some of the more popular honeypots out there like cowrie are easily fingerprinted,
so they're effective in getting some traffic, but not all traffic. So it's really been a challenge
to sort of just keep up with everything. You mentioned that this is the first step
of some continuing research you're going to do with this particular bot.
What does the future hold here? What sort of things are you going to take a look at next?
I'm going to investigate the actual attack commands and the attack traffic in one of the blog posts.
And then we're going to examine a misstep that the bot authors took when they were attacking a site.
And I'll go into that when I actually write the blog post,
but it's actually an interesting story.
Our thanks to Larry Cashdaller from Akamai for joining us. The research is titled KMSD
Bont, the attack and mine malware. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatzis, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here next week.