The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Volt Typhoon's KV-Botnet

Jan 22, 2024 1:38:21 PM / by The Hivemind

VOLTTYPHOONVerticals Targeted: Government

Executive Summary

Volt Typhoon was observed compromising Cisco RV325 devices with KV-Botnet.

Key Takeaways

  • Volt Typhoon was observed compromising Cisco RV325 with KV-Botnet. 
  • Volt Typhoon, also known as Bronze Silhouette, is an espionage-focused China nexus state sponsored threat actor group. 
  • The threat actors appeared to be targeting government entities in the US, UK, and Australia. 
  • The group was also observed using previously unidentified infrastructure and a previously unspecified webshell. 

What is KV-Botnet?

Volt Typhoon was observed compromising Cisco RV325 devices with KV-Botnet. SecurityScorecard reported on this activity. The threat actors appeared to be targeting government entities in the US, UK, and Australia.

KV-Botnet is an extensive botnet consisting of firewalls and routers. It is used for covert data transfer, likely for espionage purposes. The threat actors have been using KV-Botnet since at least 2022.

Volt Typhoon reportedly compromised 30% of Cisco RV325 in 37 days. The group likely leveraged either CVE-2019-1653 or CVE-2019-1652 to compromise the devices. It is important to note that the Cisco RV325 devices have reached end of life, meaning Cisco no longer offers support for the devices and there will be no software updates to address the security issues.

SecurityScorecard researchers also discovered previously unidentified infrastructure used by the threat actors, as well as a previously unspecified webshell, known as fy.sh, on devices targeted by Volt Typhoon.

Black Lotus Labs recently reported on KV-Botnet as well and assessed that Volt Typhoon was likely developing new infrastructure for upcoming attacks. According to Black Lotus Labs, Volt Typhoon was also observed targeting DrayTek, Fortinet, and Netgear devices with KV-Botnet. They noted other China nexus threat actors may also be using KV-Botnet.

Who is Volt Typhoon?

Volt Typhoon, also known as Bronze Silhouette, is an espionage-focused China nexus state-sponsored threat actor group. The group has been active since at least 2021. Volt Typhoon is known to use LoLbins and web shells in their attacks. In 2023, Volt Typhoon was observed targeting US critical infrastructure. Targets included critical structure entities in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education verticals. The US Navy was among the group’s victims. 

IOCs

PolySwarm has multiple samples of KV-Botnet.

 

88fc3816c94f9b0191179f4e933843ee4cfdbcb392968605491a387b1235ec12

6a8230e66011e0a0012273f7d12110c23b1e33bd7232dc67a836662a3d1075c7

5a2681ea2e1d0d5e7db2a2499d2e6e27b2689830c638d5ee28c2eef9867ececf

9e6a2a01decc2c26f3586a119b6fd3a886c4cf9c76aa452339d164fda40c63e4

07118af421f14a7e07601639f44a72f6782757ae74d2afffdb531b8209697e7f

c524e118b1e263fccac6e94365b3a0b148a53ea96df21c8377ccd8ec3d6a0874

c71d04e2b6b35fdd058b4be5cf9ea3478697950378d4ee3c7fe0bf87e1e3730f

2711f1341d2f150a0c3e2d596939805d66ba7c6403346513d1fc826324f63c87

bf0ed245e897c7d1ada511db2939e8f3a879a96543f2651d5631339d5419bb75

19aa5a2235ee2518826a48363cb603060ee73ddccdf7d93bf197f97d7402aa37

8e35d8643c00d9e2993625b03366a7cd1bd36e6a60bc0c6039a509fccf9df150

f5271fcb895977dc1eead64415e525323cd412e3f2625aee2fafbb5674beea28

48299c2c568ce5f0d4f801b4aee0a6109b68613d2948ce4948334bbd7adc49eb

36c63d0c2a78497ccf555e84f0233a514943faeff38281d99d00baf5df23f184

08d0da0c36089f7a1f700b989f2f7825c5ba2549a20735d0bd1e64ca9c4885bc

c0871ecfe8b306074c6d376db14d966578a8511e5b5d355a4cf2c4d0b8c9deb9

b6226c3e0e4ad64bbda3e6a79eb464c7050faa25d1f5332dcac014d2e79dd87f

0279435f8727cca99bee575d157187787174d39f6872c2067de23afc681fe586

3fab16ec4643d8f6b9a99d85427322f7fb40e9ea3cd4de8318c6a52e29869d5a

86f01d5342ec39c65b1cff716f19c334cec26a82b87492d783d5e8f4ff9cb63a

d6cd1636569bba4131462bb8f45be1daa9a203aa343b6f2fd48a4847acfc29fa

b4f2470159ca93f9d585ae2df1da972f6d14a0c418ebc202a324b9be5c877b61

2cb6df289475457e807fc202a2b4688b2e23a88c94a8431981780caf8b76acf7

 

You can use the following CLI command to search for all KV-Botnet samples in our portal:

$ polyswarm link list -f KV-Botnet

 

You can use the following CLI command to search for all VoltTyphoon samples in our portal:

$ polyswarm link list -t VoltTyphoon

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, APT, Critical Infrastructure, China, Linux, Volt Typhoon, KV-Botnet

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More