You hear the term "virus" instead of malware after a long time !! Yes, you are listening correctly. Researchers have discovered a new wave of malicious campaign called "KBOT" that inserts malicious code into executable Windows files.
They describe it as a live virus that has spread widely over the past few years through infected external drive, local network and Internet to reproduce itself by modifying other computer programs using its own code.
Successful "infection" will slow down the system by injecting the system process and take complete control of the system remotely, stealing in person data which will use to steal users' banking data.
KBOT also downloads additional modules with theft capabilities for collection passwords / logins, cryptowallet data, file lists, and installed applications and shipping to C2 servers.
How KBOT Infects
The process of infection by the KBOT virus begins aggressively with replications on a local network and spreads quickly to another computer, infecting executable files with no chance of recovery.
KBOT instantly infects all EXE files, including HDD partitions, external media, network drives and network folders, using malicious code.
KBOT adds the encrypted data (using the XOR method) at the end of the following .rsrc, .data, .rdata files, and the encrypted data contains the "body" of the main malware (DLL) library, as well as code for decryption.
It can also work within system applications and try to infect the code in the current process.
Try hijacking DLL
KBOT malware makes a hijacking DLL attempt, infecting binary files systemic when the system starts up.
The virus searches for specifically executable EXE files that are suitable for attacking the C: \ Windows \\ System32 folder. It then makes changes to the file permissions, in names and in their kind.
To gain remote access to the system, hackers behind KBOT create reverse links to the servers listed in the BC.ini file.
The virus also received several commands from the C2 server managed by the attacker.
- DeleteFile - delete this file.
- UpdateFile - update to this file.
- UpdateInjects - update to ini.
- UpdateHosts - update update.
- UpdateCore - update to the main bot module and the kbot.ini configuration file.
- Uninstall - uninstall malware.
- UpdateWormConfig - update to worm.ini containing information about the location of the EXE files to be infected.
The virus also configures Remote Desktop Server settings to create multiple concurrent sessions using the RDP protocol.
“It allows its operators to control it compromised system remotely, stealing in person data and steal users' banking data, "said Kaspersky's researcher.
The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by
Parallax RAT: The dangerous trojan sold on hacking forums
Greek
Arabic
Chinese (Simplified)
English
French
German
Italian
Russian
Comment Policy:
SecNews.gr does not immediately post comments. Malicious comments, comments that include ads, or comments with insults are deleted without any warning. We do not endorse the views expressed by our readers.