Akamai analysts have released a report on a new KmsdBot botnet that uses SSH to infiltrate victim systems and attack game companies and car manufacturers.
This malware, written in Go, is engaged in cryptocurrency mining, as well as in conducting DDoS attacks. KmsdBot infections affect a wide variety of companies, from gaming companies to luxury car manufacturers and cybersecurity firms.
Let me remind you that we wrote that Cloud9 Botnet Attacks Chrome with Malicious Extensions, and also that Azov Ransomware Wiper Operators Try to Set Up Ukraine and Well-Known Information Security Specialists.
KmsdBot got its name from the executable file kmsd.exe, which is downloaded from a remote server of hackers after a successful compromise. The malware is known to support multiple architectures, including Winx86, Arm64, mips64, and x86_64. The researchers note that KmsdBot is able to perform scanning operations and distribute itself further using an externally loaded list of login and password combinations.
According to Akamai, the first known target of this malware was the game company FiveM, which is developing a multiplayer mod for Grand Theft Auto V that allows players to create custom Grand Theft Auto Online servers. Attacks on security companies and luxury car brands have also been seen.
It is known that KmsdBot DDoS attacks are of the Layer 4 and 7 type, that is, they are based on TCP, UDP, HTTP GET and POST requests.
While observing the botnet, the researchers did not see mining activity, the botnet was only engaged in DDoS attacks. However, the malware has mining functionality (like Cloud Botnet for example): the command ./ksmdr -o pool.hashvault.pro was found in the code, where ksmdr is the Xmrig binary file, which was renamed. Since the botnet is still in development, these features obviously don’t work as they should yet.