1. Home
  2. Campaigns
  3. KV Botnet Activity

KV Botnet Activity

KV Botnet Activity consisted of exploitation of primarily "end-of-life" small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]

ID: C0035
First Seen:  October 2022 [1]
Last Seen:  January 2024 [2]
Version: 1.0
Created: 10 June 2024
Last Modified: 03 October 2024

Groups

ID Name Description
G1017 Volt Typhoon

Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 事件触发执行

KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.[1]
Enterprise T1036 伪装

KV Botnet Activity involves changing process filename to pr_set_mm_exe_file and process name to pr_set_name during later infection stages.[1]
.004 Masquerade Task or Service

KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.[1]
Enterprise T1573 加密通道

KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.[1]
Enterprise T1584 .008 基础设施妥协: Network Devices

KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.[1]
Enterprise T1083 文件和目录发现

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.[1]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.[1]
Enterprise T1070 .004 移除指标: File Deletion

KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[1]
Enterprise T1082 系统信息发现

KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.[1]
Enterprise T1016 系统网络配置发现

KV Botnet Activity gathers victim IP information during initial installation stages.[1]
Enterprise T1583 .003 获取基础设施: Virtual Private Server

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[1]
Enterprise T1105 输入工具传输

KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[1]
Enterprise T1057 进程发现

Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[1]
Enterprise T1055 .009 进程注入: Proc Memory

KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.[1]
Enterprise T1095 非应用层协议

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.[1]
Enterprise T1571 非标准端口

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[1]

References

  1. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  1. US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.