An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface.
The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it’s being actively maintained indicates its effectiveness in real-world attacks.
KmsdBot was first documented by the web infrastructure and security company in November 2022. It’s mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites.
The malware is designed to scan random IP addresses for open SSH ports and brute-force the system with a password list downloaded from an actor-controlled server. The new updates incorporate Telnet scanning as well as allow it to cover more CPU architectures commonly found in IoT devices.
“Like the SSH scanner, the Telnet scanner calls a function that generates a random IP address,” Cashdollar explained. “Then, it attempts to connect to port 23 on that IP address. The Telnet scanner doesn’t stop at a simple port 23 is listening/not listening decision, however; it verifies that the receiving buffer contains data.”
The attack against Telnet is accomplished by downloading a text file (telnet.txt) that contains a list of commonly used weak passwords and their combinations for a wide range of applications, mainly taking advantage of the fact that many IoT devices have their default credentials unchanges.
“The ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems,” Cashdollar said.
“From a technical perspective, the addition of telnet scanning capabilities suggests an expansion in the botnet’s attack surface, enabling it to target a wider range of devices. Moreover, as the malware evolves and adds support for more CPU architectures, it poses an ongoing threat to the security of internet-connected devices.”