This report is about a new virus referred to as "KBOT" by security researchers. The virus is built to inject into executable files and core Windows processes and its purpose is to steal sensitive information from infected hosts.
KBOT targets the user’s personal and financial data such as user credentials, cryptocurrency wallet data, installed applications, a list of files, and more. The malware is highly modular with the ability to download certain functionalities from command & control infrastructure. It avoids detection by creating a virtual file system and encrypting it with the RC6 encryption algorithm. The configuration files, stolen data, and downloaded content are stored inside the virtual file system.
The virus infects all files with the EXE file extension on logical drives which includes:
The virus adds polymorphic code to the file body section via listening for connection events targeting the IID_IwbemObjectSink interface looking for the following query: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_LogicalDisk. Once that’s been found, it overrides the indicate function found in the IID_IwbemObjectSink interface and infects EXE files using the recursive scanning of folders. When going after shared drives, it looks for the API functions: NetServerEnum and NetShareEnum before starting the infection process.
Command & Control activities are started from a separate process threat that receives the instructions. All the communications between the controlling server and the infected host are encrypted with AES encryption.
Below is a list of commands the malicious servers can send:
A successful KBOT infection could result in the loss of sensitive information and the propagation of malware throughout the environment. KBOT embeds in the infected host and any connected mediums such as network drives, thumb drives, optical media, etc.
For AlienVault users, we strongly encourage that you use the AlienVault OTX link found below to block the IOCs listed there. Malware like KBOT may require that you wipe and reload the infected system restoring it from a clean backup.
Keep systems up to date and use web filtering technology to stop the spread of malware through infected websites. Perform regular security awareness training to prevent users from getting phished or picking up infected media.
IBM X-Force Exchange:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.