Akamai reported that during ongoing research on the KmsdBot, a syntax error caused the bot to stop sending commands, effectively killing the botnet, resulting in the end of the cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks.
Akamai researchers previously published a blog post about the KmsdBot, a cryptomining botnet with command-and-control capabilities that infected victims through SSH and weak credentials. After infecting one of Akamai’s honeypots, the Akamai team analyzed and reported on KmsdBot.
The KmsdBot infects new systems via SSH connections that use weak or default login credentials. It targets Windows and Linux devices with a wide range of architectures. KmsdBot, a Golang-based virus, has been discovered attacking a variety of businesses, including gambling, luxury vehicle brands, and security agencies. The botnet, according to researchers, infects systems via an SSH connection that uses weak login credentials. To avoid detection, the malware does not remain persistent on the infected system.
The malware gets its name from an application called “kmsd.exe” that is downloaded from a remote server after a successful penetration. It is also designed to support a wide range of architectures, including Winx86, Arm64, MIPS, and x86 64.
The sources for this piece include an article in BleepingComputer.