A threat actor has irreparably destroyed its own botnet with nothing more than a typo.
Cybersecurity firm Akamai spotted the blunder in KmsdBot, a crypto mining botnet that also uses denial of service (DDoS (opens in new tab)) capabilities, before it recently crashed and reported an “index out of range” error.
The Akamai researchers monitored the botnet while an attack was taking place against a crypto-targeted website. At that point, the threat actor “forgot” to put a space between an IP address and a port in a command, and sent the command to every running instance of KmsdBot. That resulted in most of them crashing and, given the nature of the botnet, staying put.
No persistence botnet
The botnet is written in Golang and has no persistence, so the only way to get it working again is to re-infect all the machines that made up the botnet.
Speak against Read darkAkamai’s chief security intelligence response engineer, Larry Cashdollar, said nearly all KmsdBot activity tracked by the company has stopped, but added that the threat actors could try to re-infect the endpoints (opens in new tab) again. reporting the news, Ars Technica added that the best way to defend against KmsdBot is to use public key authentication for secure shell connections, or at least to improve credentials.
According to Akamai, the default target of the botnet is a company that builds private Grand Theft Auto online servers, and while it is capable of mining cryptocurrencies for the attackers, this feature was not active during the investigation. Instead, it was the DDoS activity that was active. In other cases, it targeted security companies and luxury car brands.
The company first spotted the botnet in November this year, when they were brute force systems with weak SSH credentials.