December 15, 2023 at 09:54AM
A new botnet named KV-botnet, compromising firewalls and routers from various manufacturers, is used for covert data transfer by advanced persistent threat actors, particularly the China-linked threat actor Volt Typhoon. The botnet’s two clusters target high-profile victims and utilize IP addresses based in China. The operators also focus on removing security programs and malware strains to ensure their presence on compromised devices. The botnet’s infrastructure has recently expanded to target Axis IP cameras, indicating potential new attacks.
Key Takeaways from the Meeting Notes:
– A new botnet, known as KV-botnet, has been identified by the Black Lotus Labs team at Lumen Technologies. It consists of firewalls and routers from various brands and is being utilized as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.
– The botnet comprises two complementary activity clusters, codenamed KY and JDY, which collaborate to access high-profile victims and establish covert infrastructure. The botnet is suspected to be commandeered from IP addresses based in China.
– The threat actor Volt Typhoon is believed to be a user of the KV-botnet, as evidenced by a decline in operations coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.
– The initial infection mechanism used to breach devices is currently unknown. The malware is designed to remove security programs and other malware strains, ensuring its sole presence on the infected machines. It can retrieve the main payload from a remote server and is capable of uploading and downloading files, running commands, and executing additional modules.
– Recent activity indicates that the botnet’s infrastructure has been updated to target Axis IP cameras, possibly signaling a new wave of attacks.
– The malware’s tooling resides completely in-memory, making detection extremely difficult. However, the infection can be ceased by power-cycling the device, though re-infection is occurring regularly.
– The researchers emphasized the importance of following the company on Twitter and LinkedIn for more exclusive content.
Let me know if you need anything else!