Key Takeaways
What is KV-Botnet?
KV-Botnet is an extensive botnet consisting of firewalls and routers. It is used for covert data transfer, likely for espionage purposes. The threat actors have been using KV-Botnet since at least 2022.
Volt Typhoon reportedly compromised 30% of Cisco RV325 in 37 days. The group likely leveraged either CVE-2019-1653 or CVE-2019-1652 to compromise the devices. It is important to note that the Cisco RV325 devices have reached end of life, meaning Cisco no longer offers support for the devices and there will be no software updates to address the security issues.
SecurityScorecard researchers also discovered previously unidentified infrastructure used by the threat actors, as well as a previously unspecified webshell, known as fy.sh, on devices targeted by Volt Typhoon.
Black Lotus Labs recently reported on KV-Botnet as well and assessed that Volt Typhoon was likely developing new infrastructure for upcoming attacks. According to Black Lotus Labs, Volt Typhoon was also observed targeting DrayTek, Fortinet, and Netgear devices with KV-Botnet. They noted other China nexus threat actors may also be using KV-Botnet.
Who is Volt Typhoon?
Volt Typhoon, also known as Bronze Silhouette, is an espionage-focused China nexus state-sponsored threat actor group. The group has been active since at least 2021. Volt Typhoon is known to use LoLbins and web shells in their attacks. In 2023, Volt Typhoon was observed targeting US critical infrastructure. Targets included critical structure entities in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education verticals. The US Navy was among the group’s victims.
IOCs
PolySwarm has multiple samples of KV-Botnet.
88fc3816c94f9b0191179f4e933843ee4cfdbcb392968605491a387b1235ec12
6a8230e66011e0a0012273f7d12110c23b1e33bd7232dc67a836662a3d1075c7
5a2681ea2e1d0d5e7db2a2499d2e6e27b2689830c638d5ee28c2eef9867ececf
9e6a2a01decc2c26f3586a119b6fd3a886c4cf9c76aa452339d164fda40c63e4
07118af421f14a7e07601639f44a72f6782757ae74d2afffdb531b8209697e7f
c524e118b1e263fccac6e94365b3a0b148a53ea96df21c8377ccd8ec3d6a0874
c71d04e2b6b35fdd058b4be5cf9ea3478697950378d4ee3c7fe0bf87e1e3730f
2711f1341d2f150a0c3e2d596939805d66ba7c6403346513d1fc826324f63c87
bf0ed245e897c7d1ada511db2939e8f3a879a96543f2651d5631339d5419bb75
19aa5a2235ee2518826a48363cb603060ee73ddccdf7d93bf197f97d7402aa37
8e35d8643c00d9e2993625b03366a7cd1bd36e6a60bc0c6039a509fccf9df150
f5271fcb895977dc1eead64415e525323cd412e3f2625aee2fafbb5674beea28
48299c2c568ce5f0d4f801b4aee0a6109b68613d2948ce4948334bbd7adc49eb
36c63d0c2a78497ccf555e84f0233a514943faeff38281d99d00baf5df23f184
08d0da0c36089f7a1f700b989f2f7825c5ba2549a20735d0bd1e64ca9c4885bc
c0871ecfe8b306074c6d376db14d966578a8511e5b5d355a4cf2c4d0b8c9deb9
b6226c3e0e4ad64bbda3e6a79eb464c7050faa25d1f5332dcac014d2e79dd87f
0279435f8727cca99bee575d157187787174d39f6872c2067de23afc681fe586
3fab16ec4643d8f6b9a99d85427322f7fb40e9ea3cd4de8318c6a52e29869d5a
86f01d5342ec39c65b1cff716f19c334cec26a82b87492d783d5e8f4ff9cb63a
d6cd1636569bba4131462bb8f45be1daa9a203aa343b6f2fd48a4847acfc29fa
b4f2470159ca93f9d585ae2df1da972f6d14a0c418ebc202a324b9be5c877b61
2cb6df289475457e807fc202a2b4688b2e23a88c94a8431981780caf8b76acf7
You can use the following CLI command to search for all KV-Botnet samples in our portal:
$ polyswarm link list -f KV-Botnet
You can use the following CLI command to search for all VoltTyphoon samples in our portal:
$ polyswarm link list -t VoltTyphoon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.