Friday, January 22, 09:02
Home security New KBOT virus enters malicious code into Windows files and steals data!

New KBOT virus enters malicious code into Windows files and steals data!

You hear the term "virus" instead of malware after a long time !! Yes, you are listening correctly. Researchers have discovered a new wave of malicious campaign called "KBOT" that inserts malicious code into executable Windows files.

They describe it as a live virus that has spread widely over the past few years through infected external drive, local network and Internet to reproduce itself by modifying other computer programs using its own code.

Successful "infection" will slow down the system by injecting the system process and take complete control of the system remotely, stealing in person data which will use to steal users' banking data.

KBOT also downloads additional modules with theft capabilities for collection passwords / logins, cryptowallet data, file lists, and installed applications and shipping to C2 servers.

How KBOT Infects

The process of infection by the KBOT virus begins aggressively with replications on a local network and spreads quickly to another computer, infecting executable files with no chance of recovery.

KBOT instantly infects all EXE files, including HDD partitions, external media, network drives and network folders, using malicious code.

KBOT adds the encrypted data (using the XOR method) to the end of the following files. for decryption.

It can also work within system applications and try to infect the code in the current process.

Try hijacking DLL

KBOT malware makes a hijacking DLL attempt, infecting binary files systemic when the system starts up.

The virus searches for specifically executable EXE files that are suitable for attacking the C: \ Windows \\ System32 folder. It then makes changes to the file permissions, in names and in their kind.

To gain remote access to the system, hackers behind KBOT create reverse links to the servers listed in the BC.ini file.

The virus also received several commands from the C2 server managed by the attacker.

  • DeleteFile - delete this file.
  • UpdateFile - update to this file.
  • UpdateInjects - update to ini.
  • UpdateHosts - update update.
  • UpdateCore - update to the main bot module and the kbot.ini configuration file.
  • Uninstall - uninstall malware.
  • UpdateWormConfig - update to worm.ini containing information about the location of the EXE files to be infected.

The virus also configures Remote Desktop Server settings to create multiple concurrent sessions using the RDP protocol.

“It allows its operators to control it compromised system remotely, stealing in person data and steal users' banking data, "said Kaspersky's researcher.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.

LIVE NEWS

Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...
00:02:35

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...