Cyber security researchers have detected malware called KmsdBot, which carries out DDoS attacks and cryptocurrency mining activities by accessing targeted systems using the SSH cryptographic network protocol.
KmsdBot malware is distributed on systems with weak SSH credentials by downloading the “kmsd.exe” file from a server (C2) controlled by threat actors.
KmsdBot malware has the ability to perform scanning activities on targeted systems, spread to different systems through username and password combinations, control cryptocurrency mining processes and update itself. In addition, the malware has been found to organize DDoS attacks in which Layer 4 TCP/UDP or Layer 7 HTTP/GET requests are sent to strain the targeted server resources and hinder the server’s ability to process and respond.
It is known that the number of malware that carries out cryptocurrency mining activities is increasing day by day. In the recently detected cryptocurrency mining malware campaign called KmsdBot, threat actors target gaming, automobile, and security companies. In this context, in order not to be targeted by the related malware campaign;
- Use public key authentication for SSH connections,
- Not using weak or default credentials for servers or deployed applications,
- Do not open attachments/links from suspicious-looking sender e-mail addresses,
- Beware of unreliable content,
- Use of up-to-date and comprehensive security solutions,
- Keeping systems and applications up to date,
It is strongly recommended that IoC findings related to the attack campaign are blocked by security solutions.