Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Fast-Growing Golang-Based ‘Kraken’ Botnet Emerges

Over the past several months, a new Golang-based botnet targeting Windows has been ensnaring hundreds of new systems with every newly deployed command and control (C&C) server, cybersecurity firm ZeroFox reports.

Over the past several months, a new Golang-based botnet targeting Windows has been ensnaring hundreds of new systems with every newly deployed command and control (C&C) server, cybersecurity firm ZeroFox reports.

Dubbed Kraken, the botnet can download and execute secondary payloads onto the compromised systems, but is also capable of information harvesting, shell-command execution, cryptocurrency theft, and taking screenshots, in addition to maintaining persistence.

Kraken initially emerged on GitHub on October 10, 2021, with the source code pre-dating all of the observed binaries. However, it is unclear whether the botnet operator created the GitHub account or simply stole the code.

The botnet spreads via the SmokeLoader backdoor. Initially, it was being deployed as self-extracting RAR SFX files, but now the backdoor downloads Kraken directly.

The botnet attempts to evade detection by running two commands: one to instruct Microsoft Defender not to scan its installation folder, and another to set the hidden attribute to the copied EXE file.

Furthermore, Kraken sets a specific Windows Run registry key that ensures it is executed each time the victim logs in.

[READ: Sophisticated FritzFrog P2P Botnet Returns After Long Break]

The botnet features a simple set of capabilities, but its operators were observed adding new features to the malware, including information harvesting functionality. It is also capable of downloading and executing secondary payloads and bot updates.

Advertisement. Scroll to continue reading.

The threat also enables operators to run shell commands, and takes screenshots upon execution. Some of the observed builds featured SSH brute-forcing functionality that has been removed.

Recently, Kraken’s developers added the ability to steal funds from a variety of cryptocurrency wallets. Data obtained from a cryptocurrency mining pool shows that the botnet’s operators are making roughly $3,000 per month.

Since October 2021, the cybercriminals created multiple versions of the administration dashboard, with the newer ones featuring a complete redesign and offering more statistics and information, as well as additional options when selecting targets.

According to ZeroFox, because Kraken’s operators use SmokeLoader for delivery, hundreds of new bots are being added to the network each time they change the C&C server.

“Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet,” ZeroFox concludes.

Related: Abcbot DDoS Botnet Linked to Older Cryptojacking Campaign

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.