The KmdsBot malware campaign is switching its attention to IoT devices, according to Massachusetts-based cyber-security specialist Akamai.

The Akamai Security Intelligence Response Team (SIRT) has continued to track the KmsdBot malware campaign, which has revealed an updated Kmsdx binary targeting IoT devices. The binary now includes support for telnet scanning and support for more CPU architectures, expanding its attack capabilities and the attack surface.

These updated capabilities have been seen only since mid-July 2023. The malware targets private gaming servers, cloud hosting providers, and certain government and educational sites.

The malware’s presence and activities indicate that vulnerable IoT devices continue to be a significant threat on the internet, reinforcing the need for regular security measures and updates.

The Akamai SIRT has been tracking the Kmsdx botnet campaign since November 2022.

“Now we have another new evolution,” said Larry Cashdollar from Akamai. “This time, we discovered an updated Ksmdx binary with an IoT slant, which is a stark expansion of capabilities compared with previous versions. The addition of IoT targeting also gives us some insight into the threat actor’s behaviour and the landscape in general. Despite the existence of IoT for several years now, along with multiple large-scale IoT-driven distributed denial-of-service (DDoS) attacks, this new evolution demonstrates the vastness of the threat landscape still posed by IoT.”

The updated binary is responsible for scanning random IP addresses for open SSH ports and attempting to log in to the system with a password list downloaded from the C2 server. The binary has been updated to include support for telnet scanning and verifying legitimate telnet services.

The list of KmsdBot binaries has grown to cover more CPU architectures commonly found in IoT devices.

The sample appears to be checking for valid telnet services by determining if anything is received by the initial connection on port 23. It appears to be checking that what is listening on port 23 is a valid telnet service and presents a prompt, as opposed to just disconnecting. If the check fails, it ends there. However, if it passes (returns false) it proceeds to run the infection payload.

“This seemingly simple IP scan actually has a bit of depth to it,” said Cashdollar. “This legitimacy check is one of the factors that clued us into the possibility of targeting IoT devices. Some IoT devices have telnet listening and also have an access control list in place that drops the connection if the IP address isn’t from an RFC 1918 address space.”

The telnet scanner calls a function that generates a random IP address. Then it attempts to connect to port 23 on that IP address. The telnet scanner doesn’t stop at a simple port 23 is listening/not listening decision, however; it verifies that the receiving buffer contains data.

“Although some of the updates to KmsdBot have been less than successful, this time the update seems to have achieved success,” said Cashdollar. “Aside from the added scanning check functionality, many more architectures are supported now. Although Kmsd has been around since at least November 2022, its scanning for telnet legitimacy is quite recent. According to our bot tracking logs, scanning for the telnet service began on July 16, 2023.”

Akamai (www.akamai.com) believes the ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems.

From a technical perspective, the addition of telnet scanning capabilities suggests an expansion in the botnet’s attack surface, enabling it to target a wider range of devices. Moreover, as the malware evolves and adds support for more CPU architectures, it poses an ongoing threat to the security of internet-connected devices.

“This expansion also speaks to the success of the botnet,” said Cashdollar. “If it wasn’t effective, the threat actors wouldn’t spend time updating it so often, even if they did accidentally crash it with one of the updates. From a personal perspective, this discovery emphasises the need for robust security measures and regular updates to protect against such attacks. It also calls for more education about IoT and the threats they pose to the average person or household. We’ve seen it time and time again. A random refrigerator can easily become an unwilling participant in a DDoS attack, likely without the owner’s awareness that an attack is occurring.”