KBOT Overview

This report is about a new virus referred to as "KBOT" by security researchers. The virus is built to inject into executable files and core Windows processes and its purpose is to steal sensitive information from infected hosts.

Tactics, Techniques, and Procedures

KBOT targets the user’s personal and financial data such as user credentials, cryptocurrency wallet data, installed applications, a list of files, and more. The malware is highly modular with the ability to download certain functionalities from command & control infrastructure. It avoids detection by creating a virtual file system and encrypting it with the RC6 encryption algorithm. The configuration files, stolen data, and downloaded content are stored inside the virtual file system.

The virus infects all files with the EXE file extension on logical drives which includes:

  • HDD partitions
  • External media (USB, DVD-R, etc.)
  • Network drives

The virus adds polymorphic code to the file body section via listening for connection events targeting the IID_IwbemObjectSink interface looking for the following query: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_LogicalDisk. Once that’s been found, it overrides the indicate function found in the IID_IwbemObjectSink interface and infects EXE files using the recursive scanning of folders. When going after shared drives, it looks for the API functions: NetServerEnum and NetShareEnum before starting the infection process.

Malware Features/Abilities:

  • Remote management – through a reverse connection using the servers listed in a file called BC.ini
  • Startup – modifies a registry key or creates a scheduled task through WMI
  • Process Injection – injects malicious code into core Windows system processes like svchost.exe for example.
  • DLL Hijacking – goes after DLL files listed in any infected executable’s import list

Command & Control activities are started from a separate process threat that receives the instructions. All the communications between the controlling server and the infected host are encrypted with AES encryption.

Below is a list of commands the malicious servers can send:

  • DeleteFile – delete a file from storage
  • UpdateFile – update a file in storage
  • UpdateInjects – updates the injects.ini file.
  • UpdateHosts – updates the hosts.ini file
  • UpdateCore – update the main bot module and the associated configuration file kbot.ini
  • Uninstall – remove the malware from the infected host
  • UpdateWormConfig – update the worm.ini file on the location of executable files to be infected


A successful KBOT infection could result in the loss of sensitive information and the propagation of malware throughout the environment. KBOT embeds in the infected host and any connected mediums such as network drives, thumb drives, optical media, etc.


For AlienVault users, we strongly encourage that you use the AlienVault OTX link found below to block the IOCs listed there. Malware like KBOT may require that you wipe and reload the infected system restoring it from a clean backup.

Keep systems up to date and use web filtering technology to stop the spread of malware through infected websites. Perform regular security awareness training to prevent users from getting phished or picking up infected media.


IBM X-Force Exchange:

Supporting Documentation:

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.