KV Botnet Activity

KV Botnet Activity consisted of exploitation of primarily "end-of-life" small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]

ID: C0035
First Seen:  October 2022 [1]
Last Seen:  January 2024 [2]
Version: 1.0
Created: 10 June 2024
Last Modified: 03 October 2024

Groups

ID Name Description
G1017 Volt Typhoon

Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.[1]

Enterprise T1584 .008 Compromise Infrastructure: Network Devices

KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.[1]

Enterprise T1573 Encrypted Channel

KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.[1]

Enterprise T1546 Event Triggered Execution

KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.[1]

Enterprise T1083 File and Directory Discovery

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.[1]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[1]

Enterprise T1105 Ingress Tool Transfer

KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[1]

Enterprise T1036 Masquerading

KV Botnet Activity involves changing process filename to pr_set_mm_exe_file and process name to pr_set_name during later infection stages.[1]

.004 Masquerade Task or Service

KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.[1]

Enterprise T1095 Non-Application Layer Protocol

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.[1]

Enterprise T1571 Non-Standard Port

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[1]

Enterprise T1057 Process Discovery

Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[1]

Enterprise T1055 .009 Process Injection: Proc Memory

KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[1]

Enterprise T1082 System Information Discovery

KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.[1]

Enterprise T1016 System Network Configuration Discovery

KV Botnet Activity gathers victim IP information during initial installation stages.[1]

References