A new malware, called KmsdBot, strikes user devices. The Akamai SIRT has discovered a new malware that uses the SSH (Secure Shell) protocol to infiltrate target systems in order to mine cryptocurrency and carry out DDoS attacks. It spreads disguised as a bot for popular games, in particular, GTA V. The combined threat raises malware analysts’ concerns about the possible massive spreading of such malware.
KmsdBot strikes, using security vulnerabilities
The experts called the malware KmsdBot. It is developed on the basis of Golang and is aimed at various companies – from gaming to automotive brands and security firms. GoLang gains popularity among malware developers, as it is quite hard to reverse engineer this language. The botnet infects systems via an SSH connection using “weak” login credentials. KmsdBot does not remain persistent on the infected system to avoid detection.
The malware gets its name from the “kmsd.exe” executable, which is downloaded from a remote server after a successful compromise. It is also designed to support multiple architectures – Winx86, Arm64, mips64 and x86_64. KmsdBot can perform scan and self-propagation operations by downloading a list of username/password combinations. The botnet is also able to control mining processes and malware updates. The control is possible through the communications with C2 server.
According to Akamai, the first detected target of KmsdBot was the gaming company FiveM, a multiplayer mod for GTA V that allows players to access custom role-playing servers. Botnet DDoS attacks include OSI Layer 4 and 7 attacks, in which a flood of TCP, UDP, or HTTP GET requests are sent to overwhelm the target server’s resources and bring it into a denial of service state. It is noteworthy that the KmsdBot botnet began as a bot for a gaming application, but turned into a tool for attacking worldwide-known names.
Is KmsdBot dangerous?
As any other malware, KmsdBot is not a pleasant addition to the infected system. It brings coin mining and DDoS capabilities, which creates enough problems with PC usage, regardless of the task. Mining supposes high hardware utilisation rates, which makes it problematic even to use basic apps. DDoS attacks, on the other hand, not just take a lot of bandwidth, but can also lead to bans for the IP address of an infected PC on the attacked sites.
The other edge of danger for this malware is the way it spreads into the users’ computers. Aside from the fact that exploitation is not a typical thing for malware that aims at single users, it also opted for a disguise of a bot for the game – GTA V. Gamers are known as not the most careful users, as they are the common public for cracks, patches, and different automatisation tools like bots. Since GTA V is not the sole game that makes the bot usage profitable, it will be obvious to see the KmsdBot spreading surge in the nearest weeks.
