KmsdBot Malware Gets an Upgrade

KmsdBot Malware Gets an Upgrade

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface.

The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it’s being actively maintained indicates its effectiveness in real-world attacks.

KmsdBot was first documented by the web infrastructure and security company in November 2022. It’s mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites.

The malware is designed to scan random IP addresses for open SSH ports and brute-force the system with a password list downloaded from an actor-controlled server. The new updates incorporate Telnet scanning as well as allow it to cover more CPU architectures commonly found in IoT devices.

“The ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems,” Cashdollar said.

“From a technical perspective, the addition of telnet scanning capabilities suggests an expansion in the botnet’s attack surface, enabling it to target a wider range of devices. Moreover, as the malware evolves and adds support for more CPU architectures, it poses an ongoing threat to the security of internet-connected devices.”