ZeroFox Intelligence discovered Kraken, a previously unknown botnet, in late October 2021. Despite the fact that it is still in active development, Kraken already has the ability to download and execute secondary payloads, run shell commands and take screenshots of the user’s system.

It currently spreads using SmokeLoader, a piece of malware used to install other malicious software, quickly gaining hundreds of bots with each deployment of a new command and control server.

Cybersecurity researchers have unpacked Kraken, a new Golang-based botnet in active development that includes a slew of backdoor capabilities for sensitive data from compromised Windows hosts.

The botnet includes an administration panel that allows the threat actor to upload new payloads, interact with a set number of bots, and view command history and victim information.

Armory, Atomic Wallet, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash are among the wallets targeted. The RedLine Stealer, which is used to harvest saved credentials, autocomplete data, and credit card information from web browsers is also consistently downloaded and executed on the machine.

  • Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
  • Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
  • Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
  • Avoid opening unsolicited attachments and never click suspicious links.
  • Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
  • Review network logs for potential signs of compromise and data egress.

ZeroFox has seen a server’s activity dwindle on multiple occasions only for another to appear a short time later using a different port or a completely different IP address. Kraken quickly gains hundreds of new bots by using SmokeLoader to spread each time the operator changes the C2. Monitoring commands sent to Kraken victims from October 2021 to December 2021 revealed that the operator had been solely focused on pushing information stealers, specifically RedLine Stealer.

Finally the researchers concluded that ,” Kraken has also emerged as a conduit for the deployment of other generic information stealers and cryptocurrency miners over time, earning botnet operators around $3,000 per month. At this time, it is unknown what the operator intends to do with the stolen credentials that have been collected.

Indicator Of Compromise

  • 65.21.105.85
  • 91.206.14.151
  • 95.181.152.184
  • 185.112.83.22
  • 185.112.83.96
  • 185.206.212.165
  • 213.226.71.125
  • 1d772f707ce74473996c377477ad718bba495fe7cd022d5b802aaf32c853f115
  • d742a33692a77f5caef5ea175957c98b56c2dc255144784ad3bade0a0d50d088
  • ddf039c3d6395139fd7f31b0a796a444f385c582ca978779aae7314b19940812
  • dcaaef3509bc75155789058d79f025f14166386cec833c2c154ca34cfea26c52
  • 54d36e5dce2e546070dc0571c8b3e166d6df62296fa0609a325ace23b7105335
  • 095c223b94656622c81cb9386aefa59e168756c3e200457e98c00b609e0bb170
  • 0f0cabb24d8cc93e5aed340cfc492c4008509f1e84311d61721a4375260a0911
  • 2ced68e4425d31cca494557c29a76dfc3081f594ff01549e41d2f8a08923ef61
  • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
  • ef3e0845b289f1d3b5b234b0507c554dfdd23a5b77f36d433489129ea722c6bb
  • 7c76ca5eb757df4362fabb8cff1deaa92ebc31a17786c89bde55bc53ada43864
  • 48c2f53f1eeb669fadb3eec46f7f3d4572e819c7bb2d39f22d22713a30cc1846
  • 43f46a66c821e143d77f9311b24314b5c5eeccfedbb3fbf1cd484c9e4f537a5d
  • 8c4294e3154675cd926ab6b772dbbe0e7a49cae16f4a37d908e1ca6748251c43

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s