A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.
Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.
“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.
Beat AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
Join Now
The two clusters – codenamed KY and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.
While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.
It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.
Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”
The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware taking steps to remove security programs and other malware strains so as to ensure that it’s the “only presence” on these machines.
It’s also designed to retrieve the main payload from a remote server, which, in addition to beaconing back to the same server, is also capable of uploading and downloading files, running commands, and executing additional modules.
Over the past month, the botnet’s infrastructure has received a facelift, targeting Axis IP cameras, indicating that the operators could be gearing up for a new wave of attacks.
“One of the rather interesting aspects of this campaign is that all the tooling appears to reside completely in-memory,” the researchers said. “This makes detection extremely difficult, at the cost of long-term persistence.”
“As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly.”