Home Malware Programs Malware KBOT

KBOT

Posted: February 12, 2020

KBOT is a virus that contains elements of both backdoor Trojans and spyware. KBOT propagates by compromising Windows executables and may spread throughout networks while collecting data and giving attackers access to the infected systems. Users under attack should disinfect their PCs by running thorough anti-malware scans for removing KBOT and re-secure any vulnerable credentials immediately.

A Rare Case of a True Virus in Operation

While viruses are one of the classical archetypes of Black Hat software, they're highly impractical and 'noisy,' meaning that current Black Hat programming efforts tend towards other threats. However, an unknown threat actor is bringing the virus back in the form of KBOT – do not confound it with the KPOT spyware, although it shares similar goals. Like KPOT, KBOT exfiltrates information, but with the added features of a self-propagating virus.

KBOT inserts its code into Windows executables, discarding the original entry point information and, with it, the file's intended functionality (such as launching a word-processing program, for example). After that, the infected file serves as a 'nest' for re-distributing KBOT. An early investigation by Kaspersky also shows that the Trojan has network-movement capabilities and can compromise both default drives like C or D, as well as network-shared folders.

The damaging of files is incidental to KBOT's aims of collecting information. It includes discrete modules for filching content such as cryptocurrency wallet info, passes over some system information to the attacker's Command & Control server automatically, and patches Web browsers like Chrome for exposing Web surfers to fake or 'spoofed' Web pages. Expected targets of these attacks include bank account and network admin passwords and usernames.

Ferrying Old School Software Back to Its Rightful Graves

Most viruses are overtly detectable, even by casual observation. In this respect, KBOT isn't different from other threats of its kind. Although it causes noticeable performance issues such as slowdowns and disrupts the functioning of files, it does wield significant evasive and anti-analysis features. The virus also can inject code into memory processes rather than just EXEs, and can even uninstall itself completely, if necessary.

Precautions that victims should take include disabling network connectivity for blocking KBOT's C&C contact and isolating infected systems and devices from uninfected ones. Until the PC is offline, the attacker not only has access to data but also may control the PC through Remote Desktop sessions directly. Users also should avoid launching potentially-compromised executables, since, in typical virus fashion, KBOT re-loads itself with adjustable, polymorphic code each time the hosting file opens.

Updated your anti-malware solutions as appropriate for flagging, quarantining, or deleting recent threats when necessary. Removing KBOT, while essential for your system's safety and privacy doesn't restore the functionality of your files – even with an appropriate anti-malware service.

Malware experts are rating KBOT as being a highly unexpected entry into a threat landscape whose pivot away from a virus-based distribution model is well-known. It just goes to show that even old weaponry can be quite threatening in the hands of freshly-made software.

Related Posts

Loading...