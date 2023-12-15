A new botnet named KV-Botnet composed of firewalls and routers from Cisco, DrayTek, Fortinet and NETGEAR has been used as a covert data transfer network for attackers carrying out advanced persistent attacks, including the China-linked hacking group known as Volt Typhoon.

What cybersecurity experts say about KV-Botnet

As just mentioned, called KV-botnet by Lumen Technologies' Black Lotus Labs team, the malicious network is an amalgam of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a weak point in many companies' defenses. exacerbated by the shift to remote work in recent years“, has declared the company.

The two clusters, called KY and JDY, they are considered as two distinct but working in “pairs” to facilitate access to high-profile victims and establish a covert infrastructure; Telemetry data suggests the botnet is controlled by IP addresses based in China.

While JDY bots engage in broader scanning using less sophisticated techniques, the KY component, with products that are largely obsolete and out of productionis rated as reserved for manual operations against prime-selected high-profile targets.

Volt Typhoon is suspected to be at least one of the users of the KV-botnet and comprise a subset of their operational infrastructure, as evidenced by the significant decline in operations in June and early July 2023, coinciding with the public disclosure of the adversary collective's targeting of US critical infrastructure.

Microsoft, which has exposed first the tactics of cyber criminals, stated that “[la botnet] attempts to blend in with normal network activity by routing traffic through compromised small office and home office network equipment (SOHO), including routers, firewalls, and VPN hardware“.

The exact process of the initial infection mechanism used to breach devices is currently unknown; it follows first-stage malware that takes steps to remove security programs and other malware variants to ensure it is the “only presence” on such machines.

This KV-Botnet is also designed to retrieve the main payload from a remote server, which, in addition to sending signals to the same server, is also capable of uploading and downloading files, execute commands and run additional modules.

In the last month, the botnet's infrastructure has received a makeover, targeting Axis IP camerasindicating that operators may be about to launch a new wave of attacks.

“One of the rather interesting aspects of this campaign is that all the tools appear to reside completely in memory“said the researchers. “This makes detection extremely difficult, to the detriment of long-term persistence“.

“Since the malware resides completely in memory, simply turning the device off and on again allows the end user to stop the infection; even if this removes the imminent threat, reinfections occur regularly.”

Cases similar to KV-Botnet

