KBOT Virus

KBOT is a new polymorphic virus that exfiltrates financial and credential data from affected systems. At the time of publication, it appears to be the first new virus observed in the wild in several years.

As KBOT propagates via previously infected files, it can be delivered through a number of methods including spam or phishing campaigns, drive-by-download, watering hole attacks, or removable media. Once delivered, KBOT will attempt to inject RC4-encrypted copies of itself into all EXE files present on any connected local or network drives, destroying their original content in the process.

It then spawns a new copy of svchost.exe and injects itself into it in order to avoid detection by security services. Persistence is maintained by creating new registry entries and creating a scheduled task using WMIC.

KBOT uses a pair of embedded DLL files to gather user credentials and financial information from website forms, password safes, and cryptocurrency wallets. It can also download additional modules from a command and control (C2) server to enhance its capabilities.

Extracted information is AES encrypted and stored in a virtual filesystem before being sent to the C2 servers. KBOT will also create multiple Remote Desktop sessions, presumably to allow its operators to control affected systems.

Kaspersky researchers detected this Virus and its components as Virus.Win32.Kpot.a, Virus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b, and Trojan-PSW.Win32.Coins.nav. “

Indicators of Compromise

IP Addresses

• 213.252.245[.]229

URLs

• 213.252.245.146/au.exe
• my-backup-club-911[.]xyz
• sync-time[.]club/au.exe
• sync-time[.]icu/au.exe
• sync-time[.]info/au.exe

MD5 File Hashes

• 1c15c98bc57c48140558d0e8d71b4ecd
• 2e3a7d4cf86025f5873ebddf3dcacf72
• 46b3c12b44f587ae25d6f38d2a8c4e0f
• 5f00df73bb6e84c49b9bf33ff1d552c3
• c37058752b2c055ff3a3b3eac50f1350