Executive Summary of the kraken botnet
A recently discovered botnet named Kraken is under active development and is stealing data from Windows hosts. Kraken has been active since October 2021 and was discovered by ZeroFox Intelligence. The botnet is known for its simple functionality but has already started turning a $3k monthly profit for its owners. According to ZeroFox, Kraken is trying to rebrand and find its place within the threat landscape. Between January 4, 2022, and January 7, 2022, the operators behind Kraken began using names “Anubis” and “Pepega” internally. However, the name Kraken is still being used by cyber security professionals and by media outlets.
Ever-shifting, botnets have proven just how dangerous they can be within the last few months. From Meris to Qakbot, botnets can spread through machines quickly and easily take down an entire organization before the attack is noticed. Let’s take a look at Kraken and how you can keep your organization from becoming a victim of this newly developed botnet.
A botnet, which is short for robot network, is a group of computers that have been infected with malware. The botnets are under the control of threat actors that can command every computer on their botnet to carry out coordinated attacks. Sometimes botnets are massive, comprised of millions of bots. The scale of a botnet can allow attackers to perform large scale attacks that were impossible with malware alone.
The purpose of a botnet is to speed up a threat actor’s ability to carry out large attacks. At little cost to them, threat actors can acquire thousands of machines to use in their attacks. Bot herders (threat actors) are at the head of the operation and compile bots, while using command programming to drive their next actions. Bots operate under remote commands designed by their bot herder. Here are the basic stages of building a botnet:
Under the control of the threat actors, targeted machines can change their behavior at any moment and can receive updates. Because of the botnet’s ability to change quickly, threat actors will often rent access to segments of their botnet to other cyber criminals on the black market.
Bot herders send bots from their command and control severs to unknowing recipients via malicious file sharing, email, or social media application protocols. When an unknowing victim opens the malicious file, the bot sends a message back to command and control (C2). Next, the threat actor dictates commands to infected computers.
Botnets are one of the most sophisticated types of modern malware and are a significant concern for organizations. Leveraging networks to gain power and resilience, botnets expose organizations to breaches, DDoS attacks, email spam, and targeted intrusions.
As previously stated, Kraken was unknown until ZeroFox discovered it in October 2021. Keep in mind, this new botnet is not to be confused with the Kraken botnet from 2008, as they don’t have much in common. Kraken uses SmokeLoader, a multi-use hacking tool, to install malicious software on targeted machines and picks up hundreds of new bots every time a new C2 server is deployed. The botnet is still under development but already has the ability to exfiltrate sensitive data from Windows hosts. According to ZeroFox, current iterations of Kraken feature the following abilities:
In October 2021, Kraken’s code, which is written in Go, was uploaded to GitHub, but the project only had two commits and the source code pre-dated any binaries ZeroFox observed in the wild. The GitHub profile’s owner is unknown, so it isn’t clear if the profile belongs to Kraken’s operators or if the operator used the code to kickstart their development.
Originally, Kraken spread in self-extracting RAR SFX files via SmokeLoader downloads. The SFX included a UPX-packed version of Kraken called RedLine Stealer, as well as another binary used to delete Kraken. Today, Kraken is downloaded by SmokeLoader directly and the botnet’s binaries are UPX-packed but are protected by the Themida packer as well.
According to the Department of Justice, the data was given to China to aid in securing contracts for state-owned enterprises within targeted countries, resulting in better contract bids for Chinese companies and gaining an edge on competitors. Hainan Xiandun was used in collaboration with Bronze Mohawk (APT40) and university staff to recruit hackers and linguists from the universities’ ranks to assist in potential intrusions.
Kraken runs two commands to stay hidden: 1. Powershell -Command Add-MpPreference -ExclusionPath %APPDATA%Microsoft and 2. Attrib +S +H %APPDATA%\Microsoft\<EXE_NAME>. Microsoft Defender receives a message from the PowerShell command which tells it not to scan Kraken’s installation directly. The attributed command hides the copied EXE file from a Windows Explorer window that hasn’t enabled the option, “Show hidden files, folders, and drives.” Also, every time a victim logs in, Kraken ensures the Windows Run registry key starts.
Image 1: Run Key Persistence
Although Kraken’s features are simple, they are mighty. Kraken can collect information about their infected host and send it back to the C2 sever during registration. Although the information Kraken collects varies from build to build, here is some of information ZeroFox observed the botnet collecting:
Unlike earlier versions, Kraken now has the ability to download and execute files. From the dashboard, Kraken’s operators are able to run shell commands and return the results back to the C2 server. After execution, the botnet takes a screenshot and sends it to the command and control. Additionally, Kraken has the ability to steal various cryptocurrency wallets from different locations. Those locations include:
In February 2022, Kraken’s C2 panel was redesigned and was named Anubis. The panel provides the threat actors with more information than the original Kraken panel. It’s now possible for Kraken’s operators to view command history and information about their victim. Additionally, the Anubis panel targets specific Chromium-based browsers (Brave, Google Chrome, and Microsoft Edge). Kraken deploys generic information stealers and cryptocurrency miners.
Source: ZeroFox Intelligence
Image 3: Chromium Based Web Browser Paths
As we stated earlier, Kraken is still in development and its C2s disappear often. There has been dwindling activity for severs on several occasions, but another appears later using either a new port or a new IP address. Spread by SmokeLoader, Kraken is able to gain hundreds of new bots each time the C2 changes. The operator behind Kraken has pushed information stealers (particularly RedLine Stealer via Anubis) from October 2021 to December 2021. Kraken used to rely solely on secondary payloads like RedLine Stealer to steal data from victims, but researchers expect for Kraken to end its reliance on third-party information stealers if it continues to add new features. Researchers are not sure what the ultimate goal is for creating Kraken or what the operators plan to do with the stolen information. If Kraken currently pulls in USD $3,000 per month for its operators, then some might say the operators’ goal is financial.
In October 2021, Avertium published a report featuring the Meris botnet. The botnet was responsible for attacking Cloudfare, Yandex, and KrebsOnSecurity via DDoS attacks. It also targeted customers in the financial industry and exploited an unpatched vulnerability (CVE-2018-14847) within MikroTik routers from 2018. The attackers behind Meris had the ability to execute a much larger attack, but they chose not to at that time. In March 2022, the Meris botnet played a key role in a massive DDoS attack on an undisclosed website. The threat actors behind the attack included a ransom note as part of the attack itself. Researchers believe it was a reminder to send their bitcoin payment.
Also, the Qakbot botnet has been seen spreading through email thread hijacking. Email thread hijacking happens when malware operators malspam replies to ongoing email threads – with victims not realizing the replies are not from the human who owns the email box where the replies originated. In March 2022, our partner, Sophos, published a detailed report about the botnet and its capabilities. Qakbot’s main goal is to steal logins and passwords for malicious reasons. It’s also capable of spying on financial operations and installing ransomware, making the botnet multipurpose.
Botnets, like TrickBot can be used as initial access points for ransomware. TrickBot was initially a banking trojan designed to steal financial data but has since evolved into a modular stealer – targeting a wide range of information. It has been used often by the ransomware gang, Conti, and is one of the reasons why Conti was able to rise so quickly. At one point, Conti became the only end-user of TrickBot’s botnet product, ultimately leading TrickBot to be acquired by Conti at the end of 2021. TrickBot is still operational, but the malware has reached its maximum value.
Most of the IoCs associated with TrickBot are not used by Conti because of how easy they are to detect. However, the developers and managers behind TrickBot are still valuable to Conti.
Because botnets have become a fixture within the threat landscape and are starting to shift their focus from DDoS attacks, it’s important to recognize that they evolve quickly and use newer attack techniques. Unlike Meris, Kraken has steered clear of using a DDoS attack and has other means of attacking its victims – choosing to steal information via RedLine Stealer from infected machines. In September 2021 and October 2021, Security Week saw an increase in RedLine Stealer malware, particularly in the Middle East and in Europe. RedLine Stealer isn’t a new tool and the developers behind it regularly change the malware to find new victims, with its latest variant named “Omicron Stats.exe.”
The above is a testament to how botnets are growing in sophistication and how threat actors leverage several attack techniques to accomplish their malicious goals. Law enforcement and security professionals have been successful in taking down botnets, but the success is often short lived. In April 2021, Emotet was taken down by law enforcement and was a major win for the cyber security world, but the victory was short lived when the botnet returned in November 2021.
If you think your organization can wait to protect itself from botnets like Kraken, you’re mistaken. We have already seen some of the most vicious cyber attacks this year and a holistic, yet integrated security approach is the best protection against botnets. Additionally, ensuring that your organization takes a security-first approach when adopting new technologies, will help keep networks safe. Don’t put off securing your environment, it takes one threat to cripple an organization.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
In this eBook, you will learn...
- The newest and growing trends in cybersecurity tools, processes, and data storage
- Expectations for what cybersecurity will look like in 2022, based on data collections & observations from Avertium security experts, plus commentary from Avertium's partners