The investigation revealed that Akamai’s research team accidentally destroyed a recently discovered crypto mining botnet called KmsdBot.
The botnet could not send commands anymore due to an error in syntax and was therefore destroyed.
KmsdBot with its C2 functionality
KMSDBot, a botnet for cryptomining, uses weak credentials and to infect its victims and deploy the miner. The KmsdBot also has command-and control capabilities.
The botnet was found in one Akamai honeypot. After assessing the situation, Akamai reported the findings.
The botnet deployed a variety of microarchitectures to target Linux or Windows devices. It then deploys the following components on those devices:
- Miners
- Bot army for DDoS
This group focuses on companies involved in technology and gaming, but also manufacturers of luxurious vehicles.
Important to remember that C2 can be a deadly trait for any malign entity. KmsdBot has this C2 functionality.
Event Information
Akamai that the operating mechanism for the botnet was in control. They sent commands to mistakenly neutralize the malware.
The bot would stop sending commands if it was given a wrongly formatted command. This could have been because the bot did not include an error-checking function that would inspect the source code before it executes commands.
The infected devices cause the Go binary to stop communicating with their C2 server. This happens when an instruction is sent to the target site without any space between the port numbers.
Due to the botnet’s inability to function, a persistence mechanism has been removed. The botnet operators will have to infect the target device again in case of detection.
This can be seen to illustrate how technology can be unpredictable and how anyone who exploits it might find themselves being exploited.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.
