You hear the term "virus" instead of malware after a long time !! Yes, you are listening correctly. Researchers have discovered a new wave of malicious campaign called "KBOT" that inserts malicious code into executable Windows files.
They describe it as a live virus that has spread widely over the past few years through infected external drive, local network and Internet to reproduce itself by modifying other computer programs using its own code.
Successful "infection" will slow down the system by injecting the system process and take complete control of the system remotely, stealing in person data which will use to steal users' banking data.
How KBOT Infects
The process of infection by the KBOT virus begins aggressively with replications on a local network and spreads quickly to another computer, infecting executable files with no chance of recovery.
KBOT instantly infects all EXE files, including HDD partitions, external media, network drives and network folders, using malicious code.
KBOT adds the encrypted data (using the XOR method) at the end of the following .rsrc, .data, .rdata files, and the encrypted data contains the "body" of the main malware (DLL) library, as well as code for decryption.
It can also work within system applications and try to infect the code in the current process.
Try hijacking DLL
KBOT malware makes a hijacking DLL attempt, infecting binary files systemic when the system starts up.
The virus searches for specifically executable EXE files that are suitable for attacking the C: \ Windows \\ System32 folder. It then makes changes to the file permissions, in names and in their kind.
To gain remote access to the system, hackers behind KBOT create reverse links to the servers listed in the BC.ini file.
The virus also received several commands from the C2 server managed by the attacker.
- DeleteFile - delete this file.
- UpdateFile - update to this file.
- UpdateInjects - update to ini.
- UpdateHosts - update update.
- UpdateCore - update to the main bot module and the kbot.ini configuration file.
- Uninstall - uninstall malware.
- UpdateWormConfig - update to worm.ini containing information about the location of the EXE files to be infected.
The virus also configures Remote Desktop Server settings to create multiple concurrent sessions using the RDP protocol.