C0035 KV Botnet Activity
KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.1 This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.2
| Item | Value |
|---|---|
| ID | C0035 |
| Associated Names | |
| First Seen | October 2022 |
| Last Seen | January 2024 |
| Version | 1.0 |
| Created | 10 June 2024 |
| Last Modified | 03 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon | Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.1 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.008 | Network Devices | KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.1 |
| enterprise | T1573 | Encrypted Channel | KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.1 |
| enterprise | T1546 | Event Triggered Execution | KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.1 |
| enterprise | T1083 | File and Directory Discovery | KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.013 | Bind Mounts | KV Botnet Activity leveraged a bind mount to bind itself to the /proc/ file path before deleting its files from the /tmp/ directory.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.1 |
| enterprise | T1105 | Ingress Tool Transfer | KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.1 |
| enterprise | T1036 | Masquerading | KV Botnet Activity involves changing process filename to pr_set_mm_exe_file and process name to pr_set_name during later infection stages.1 |
| enterprise | T1036.004 | Masquerade Task or Service | KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.1 |
| enterprise | T1095 | Non-Application Layer Protocol | KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.1 |
| enterprise | T1571 | Non-Standard Port | KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.1 |
| enterprise | T1057 | Process Discovery | Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.009 | Proc Memory | KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.1 |
| enterprise | T1082 | System Information Discovery | KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim’s hosts file and CPU utilization.1 |
| enterprise | T1016 | System Network Configuration Discovery | KV Botnet Activity gathers victim IP information during initial installation stages.1 |
References
-
Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024. ↩