KmsdBot: DDoS and cryptomining combined

Summary

  • Discovered in November 2022
  • Targets gaming and technology industries as well as luxury car manufacturers
  • Infects systems (via SSH connection) that use weak login credentials
  • Developed as a bot for DDoS attacks with cryptomining ability
  • Written in Golang, supports different architectures

Introduction

On November 10, 2022, the Akamai Security Intelligence Response Team published an article with the description of the newly spotted KmsdBot, which infected their honeypot. Gaming company FiveM, which provides software for GTA V for hosting custom private servers (and happens to be Akamai’s client), became the first victim. During their investigation, researchers found many samples that were built for different architectures, including x86_x64, arm64, mips64 and others.

Technical details

Overview

All KmsdBot samples are written in Golang, and are developed for different architectures. They all have a large variety of functions (more than 2,000).

Execution

At the start of execution, both Windows and Linux samples connect to the ‘109.206.241.112’ IP address. As this server was offline at the time of analysis, the sample was attempting to reconnect infinitely.

Acronis

The ‘main_Client_Handle’ function handles received commands and executes them using the ‘main_Command_Handle’ set of functions.

Acronis

Depending on the command, KmsdBot can then execute the following functions:

  • main_updateminer — downloads and updates client
  • main_updateclient — downloads and updates miner
  • main_scan — starts scanning opened SSH ports
  • main_stopscan — terminates scanning process
  • main_stopmine — terminates mining process
  • main_startminer — starts mining process
  • main_start — starts program execution
  • main_startbythreads — used to create threads and start executing these functions: main_udpfivem, main_tcpvse, main_tcpfivem, main_udpvse
  • main_starthttp — begins HTTP routine, which includes these functions: main_post, main_post1, main_fivem, main_guid, main_main_get, main_getrandpath, main_bigdata

The sample (sha256:09761d69bd5b00b2e767a1105dd3e80ce17b795cd817676c737a1e83c5b96f1b) created for Windows was used in the attack against FiveM company, and has a set of functions developed specifically for it:

  • main_fivem
  • main_fivemtoken
  • main_randomfivemdata
  • main_tcpfivem
  • main_tcpfivemtoken
  • main_udpfivem
  • main_udpfivemtoken

KmsdBot opens a UDP socket and constructs a packet with the FiveM token to deceive the FiveM server. This action causes the server to believe that the user is starting a new session, wasting more resources. The packet is built using the saved string from the large block of data.

Despite the fact that this data is written as one big string, it consists of many strings such as tokens, IP addresses and commands that must be executed. During execution, KmsdBot often loads data from this block, using offsets to obtain a particular string.

Acronis

After a connection with the server is established, the bot will maintain it for the further execution. Unlike the Windows version, Linux samples do not have functions for FiveM, which is the main difference between these two KmsdBot versions.

Acronis

In the cryptomining function ‘main_randomwallet’, there are several hardcoded crypto wallet addresses:

Acronis

The Linux samples have different saved wallets.

Acronis

Also, the Linux sample has a function designed to download and execute malware with saved commands, which was spotted in the honeypot by Akamai Security Research.

Acronis
Acronis

Before downloading, it checks the system architecture by comparing against the saved list.

Acronis

All saved architectures names:

x86_64
386
arm64array
armv71
mips64
mips64le
mipsle
mipsel
mips64el
s390x
ppc
i686
ppc64le
riscv64
aarch64
unknown

The Linux samples have functions to download files with possible credentials for further SSH brute-forcing.

Acronis

After the file is downloaded, it calls the ‘main_sshcheck’ function to brute-force SSH credentials.

Acronis

It loads credentials from the file and tries to log into the system.

Acronis

Not all Linux x86-64 samples are similar in their functionality. For example, one of them doesn’t have functions for updating both the bot and the miner, while another lacks functions to download a list of credentials and brute force SSH.

Acronis
Acronis

These differences point to the fact that the samples are just different versions of the malware, which is still in development. With each update, it gains more functions.

Network activity

KmsdBot uses TCP, UDP and HTTP protocols to communicate with servers. The server with the ‘109.206.241.112’ IP address has already been brought offline. 

Acronis

During execution the Linux version connects to the ‘185.125.188.58’ IP address multiple times.

Acronis

This IP address belongs to the Canonical company, the publisher of Ubuntu. Based on VirusTotal analysis, it is quite often used by other malware.

Acronis

Conclusion

KmsdBot is a rare type of botnet which contains cryptomining functionality. That is why one of the targeted industries in those attacks is gaming, as victims are likely to have powerful hardware that allows more effective cryptocurrency mining.

KmsdBot has a lot of samples that were developed for different types of architecture, some of which are PE64 files and written in Golang. A Windows sample was used to attack the FiveM gaming company, and it contains a lot of tokens to obtain access to its servers. To infect the victims’ systems, it used weak SSH login credentials, which cybercriminals often refer to in the cyberattacks. Based on the fact that some of these samples appear to be different versions of the malware, it is still in development. Therefore, gaming companies must take action to prevent further cyberattacks on their systems.

Detected by Acronis

Acronis

IoCs

Files

SHA256
Description
09761d69bd5b00b2e767a1105dd3e80ce17b795cd817676c737a1e83c5b96f1b
kumd(Windows)
8d1df3c5357adbab988c62682c85b51582649ff8a3b5c21fca3780fe220e5b11
ksmdm(Linux x86-64)
714eeba5b6e4610946cd07c1ddadddc94052bfe450a8a9b1c23495721082884d
ksmdx(Linux x86-64)
e83a61c538f11e4fc9dd9d0f414a9e74d0d585ffe3302e4d3741be6a3523bd1e
ksmds(Linux x86-64)
7fe04a3307666e6b6dac381664c901daea3ed5e8af3d7700ac5bde9550350d5a
kmsd(AMD64)
2e091ecc4c912e6fbe4258da470459018dc8f3efde2803281a416a2c8eb8cf1a
kmsd(ARM)
da609100cb66e6e4e79916ca1e7481269406e6a484f46187b3accb1626552d61
kmsd(mips)
8136613eb3427f908a200f52b7938cc184a31b626b6c85a35e664c064de6d533
kmsd(mips64)
50f2fb45c11e40ea4bbf4a8a733b6e65ce25c3f182aa0aa33ffb59ebae712003
kmsd(mipsle)
e5a06b250ba10fe0156efe7399b321cb8b1fc8b1929e49ee62d837fa1440313f
kmsd(ppc64)
2971a37849388c7c3af0840eabc52f0b604fb9894429b7397100b12a069cfeff
kmsd(ppc64le)
247b0d5e40b8b1ec316e9700b499a2dc20d73bfd7f36d913e7725334a2818a7e
kmsd(riscv64)
7517e597a6ba4a8659b2dd4252085a99baca000684435f8b451af1418bfcac84
kmsd(s390x)