[MART] - Daily Diary #455 - Kraken, A New Botnet Under Development

CTAS-MAT ctas-mat at appgate.com
Thu Feb 17 21:37:38 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

02/17/2022 - Diary entry #455:

This week a new botnet was disclosed. Known as Kraken, it's written in Golang and is still under development. Although it's known by the same name as 2008 world's largest botnet, they are not related.

Kraken is delivered using SmokeLoader, a generic backdoor used in spam campaigns (covered in Daily Diary #112), it is packed with UPX and protected using Themida. Once executed, it moves itself to another folder, adds this new location to Microsoft Defender's exclusion list to avoid scanning, and creates a registry key to execute automatically on every logon.

Next, it collects data from the victim's machines, sending them to its C2. Kraken's capabilities vary from each version, it can download/execute files, take screenshots, run shell commands, steal cryptocurrency wallets files, and even SSH brute-forcing in some versions. Finally, Kraken's operators have a web panel that allows them to interact with their infected hosts and check the estimated earnings amount related to cryptocurrency miners deployed by the botnet.

Kraken's released versions so far suggest that it's still under development, experimenting with new functionalities. Its activities show that its C2 servers are often disappearing and it's been used mostly to deploy other payloads such as crypto miners and info stealers like RedLine.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220217/a38ebab7/attachment.htm>


More information about the MART mailing list