KV Botnet Activity consisted of exploitation of primarily "end-of-life" small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]
ID | Name | Description |
---|---|---|
G1017 | Volt Typhoon |
Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.[1] |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[1] |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.[1] |
Enterprise | T1584 | .008 | Compromise Infrastructure: Network Devices |
KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.[1] |
Enterprise | T1573 | Encrypted Channel |
KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.[1] |
|
Enterprise | T1546 | Event Triggered Execution |
KV Botnet Activity involves managing events on victim systems via |
|
Enterprise | T1083 | File and Directory Discovery |
KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.[1] |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
KV Botnet Activity used various scripts to remove or disable security tools, such as |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[1] |
|
Enterprise | T1036 | Masquerading |
KV Botnet Activity involves changing process filename to |
|
.004 | Masquerade Task or Service |
KV Botnet Activity installation steps include first identifying, then stopping, any process containing |
||
Enterprise | T1095 | Non-Application Layer Protocol |
KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.[1] |
|
Enterprise | T1571 | Non-Standard Port |
KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[1] |
|
Enterprise | T1057 | Process Discovery |
Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[1] |
|
Enterprise | T1055 | .009 | Process Injection: Proc Memory |
KV Botnet Activity final payload installation includes mounting and binding to the |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[1] |
Enterprise | T1082 | System Information Discovery |
KV Botnet Activity includes use of native system tools, such as |
|
Enterprise | T1016 | System Network Configuration Discovery |
KV Botnet Activity gathers victim IP information during initial installation stages.[1] |