Volt Typhoon’s KV-Botnet and the Threat to Global Communications, Attacks on SOHO routers

by | Dec 14, 2023 | News

Post Views: 238

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Chinese state-sponsored hacking group linked to sophisticated botnet targeting critical infrastructure.

A joint report by Microsoft and the US government has linked the Chinese state-sponsored APT hacking group known as Volt Typhoon (Bronze Silhouette) to a sophisticated botnet named ‘KV-botnet.’ This botnet has been used since at least 2022 to attack SOHO routers in high-value targets, including telecommunication and internet service providers, a US territorial government entity in Guam, a renewable energy firm in Europe, and US military organizations.

Volt Typhoon commonly targets routers, firewalls, and VPN devices to proxy malicious traffic, blending it with legitimate traffic to remain undetected. A detailed report published by the Black Lotus Labs team at Lumen Technologies reveals that the attackers are building infrastructure that could disrupt critical communications infrastructure between the United States and the Asia region during future crises, according to Microsoft.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

KV-Botnet Technical Details

Black Lotus has identified two distinct activity clusters within the KV-Botnet, labeled as ‘KV’ and ‘JDY.’ The former targets high-value entities and is likely operated manually, while the latter engages in broader scanning using less sophisticated techniques.

Two separate clusters of activity linked to KV-botnet (Lumen)

This botnet specifically targets end-of-life devices utilized by SOHO (small office, home office) entities that lack robust security measures. It supports various architectures, including ARM, MIPS, MIPSEL, x86_64, i686, i486, and i386.

Initially focusing on Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFE firewalls, the malware later expanded its scope to include Axis IP cameras such as models M1045-LW, M1065-LW, and p1367-E.

Volt Typhoon employs a complex infection chain involving multiple files, including bash scripts (kv.sh), which halt specific processes and remove security tools running on the infected device.

The KV (manual) infection chain (Lumen)

To avoid detection, the bot establishes random ports for communication with the C2 (command and control) server and disguises itself by adopting the names of existing processes. Furthermore, all tooling resides in memory, making the bot challenging to detect, although this approach impacts its ability to persist on compromised devices.

The commands received by KV-Botnet from the C2 server encompass updating communication settings, exfiltrating host information, performing data transmission, creating network connections, executing host tasks, and other functions.

Trending: Recon Tool: ReconSpider

Chinese Link

Black Lotus Labs has linked this botnet to Volt Typhoon after finding overlaps in IP addresses, similar tactics, and working times that align with China Standard Time.

KV-botnet activity times align with China working hours (Lumen)

Lumen has released indicators of compromise (IOCs) on GitHub, including malware hashes and IP addresses associated with the botnet, shedding light on the covert operations of Volt Typhoon.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link