KBOT Virus

First observed in early 2020, KBOT is a polymorphic virus that exfiltrates financial and credential data from affected systems. As of the time of publication, it appears to be the first new virus observed in the wild in several years.

Threat ID:: CC-3363
Category:: Virus
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 13 February 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

As KBOT propagates via previously infected files, it can be delivered through a number of methods including spam or phishing campaigns, drive-by-download, watering hole attacks, or removable media. Once delivered, KBOT will attempt to inject RC4-encrypted copies of itself into all EXE files present on any connected local or network drives, destroying their original content in the process. It then spawns a new copy of svchost.exe and injects itself into it in order to avoid detection by security services. Persistence is maintained by creating new registry entries and creating a scheduled task using WMIC.

KBOT uses a pair of embedded DLL files to gather user credentials and financial information from website forms, password safes, and cryptocurrency wallets. It can also download additional modules from a command and control (C2) server to enhance its capabilities. Extracted information is AES encrypted and stored in a virtual filesystem before being sent to the C2 servers. KBOT will also create multiple Remote Desktop sessions, presumably to allow its operators to control affected systems.

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

IP Addresses

213.252.245[.]229

URLs

213.252.245.146/au.exe
my-backup-club-911[.]xyz
sync-time[.]club/au.exe
sync-time[.]icu/au.exe
sync-time[.]info/au.exe

MD5 File Hashes

1c15c98bc57c48140558d0e8d71b4ecd
2e3a7d4cf86025f5873ebddf3dcacf72
46b3c12b44f587ae25d6f38d2a8c4e0f
5f00df73bb6e84c49b9bf33ff1d552c3
c37058752b2c055ff3a3b3eac50f1350

Last edited: 29 June 2021 12:00 pm