KmsdBot Malware Hijacking Systems to Launch DDoS Attacks and for Crypto Mining (18th November 2022)

Ref# AL2022_75 | Date: Nov 18th 2022


A recently discovered evasive malware forces the Secure Shell (SSH) cryptographic protocol to enter targeted systems with the goal of carrying out distributed denial-of-service (DDoS) attacks and mining cryptocurrency. 


The Golang-based virus, known as KmsdBot has been discovered to attack a range of businesses, including gambling, luxury vehicle brands, and security agencies. 

According to researchers, the botnet infects systems via an SSH connection that leverages weak login credentials. As a means of avoiding discovery, the malware does not stay persistent on the infected system. 

An application with the name “kmsd.exe” that is downloaded from a remote server after a successful penetration gives the malware its name. Additionally, it is made to support a variety of architectures, including Winx86, Arm64, MIPS, and x86 64. 

By downloading a list of login and password combinations, KmsdBot may undertake scanning activities and spread itself. Additionally, it can update the malware and manage the mining process. 


The following are some recommendations to keep systems and networks secure:  

  • For servers or installed programs, avoid using weak or default credentials.  

  • Make sure you regularly check on those deployed applications and keep them updated with the most recent security fixes. 

  • To secure your SSH connections, use public key authentication. This is the easiest approach to stop this kind of system compromise. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: KmsdBot Malware Hijacking Systems.pdf