The cybersecurity company Kaspersky has discovered a new virus, dubbed KPOT. KPOT is the first true computer virus in recent years—most infections tend to fall into other categories of malware. The term “virus” is often used interchangeably with “malware,” but malware is a blanket term for malicious software. A virus is a type of malware that is capable of replicating itself by injecting code into other applications on disk so that every subsequent execution runs the virus instead.
For the initial infection, it appears that KPOT arrives via the Internet, a local network (through network drives) or from infected external media such as flash drives or an external hard drive. Once run, the virus adds itself to the Startup and Task Scheduler for persistence. KBOT’s main goal seems to be performing web injects to act as a stealer, with capabilities for downloading additional stealer modules later. Web injects modify web pages in the victim computer’s web browser to insert or modify form inputs and steal information typed into web forms. To spread, the virus infects all executable files on connected drives by adding its own polymorphic code (code that changes each time it is run while delivering the same result as the original) and overwriting an executable’s entry point. This also has the side effect that infected applications will no longer run due to being hijacked and will instead run the virus. As if that wasn’t enough, KPOT is also capable of injecting into running processes in an attempt to hide malicious activity.
In another bid for persistence, KPOT will search “C:\Windows\System32” for executable files with specific requirements that it can then copy into a newly-created directory under the system directory. These files are then written to the Startup directory, so they are automatically run. It also detects the DLLs used by each copied executable to copy those into the same location. KPOT creates a randomly named file in the same directory and uses it as an encrypted file system. This encrypted file system is used to store information such as the current version, configuration files received from its command and control server (C2), system information and more. After creating the encrypted file system, the newly copied DLLs are infected in a slightly different manner than previous files, but the result is the same. When the copied applications from System32 are run at startup, these infected DLLs are now loaded instead of the normal ones.
KPOT also comes with remote management capabilities via Remote Desktop Protocol (RDP). To allow multiple RDP sessions, KPOT configures the Remote Desktop Server settings by patching the memory of services that have “termserv.dll” loaded and editing the following registry entries:
- HKLM\SYSTEM\ControlSet\Control\TerminalServer\LicensingCore\ EnableConcurrentSessions
- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ AllowMultipleTSSessions
For C2 communications, KPOT reads from a “hosts.ini” file located in the encrypted file storage that specifies which domain names the C2 servers use. Original configurations are also stored encrypted in one of the sections of the main bot module while newer versions are saved to the encrypted file system. C2 communications are used for sending system information and receiving commands. All traffic with the C2 is encrypted with AES. Below is the list of commands used:
- DeleteFile — delete the specified file from the file storage.
- UpdateFile — update the specified file in the file storage.
- UpdateInjects — update injects.ini.
- UpdateHosts — update hosts.ini.
- UpdateCore — update the main bot module and the configuration file kbot.ini.
- Uninstall — uninstall the malware.
- UpdateWormConfig — update worm.ini containing information about the location of EXE files to be infected.
- UpdateBackconnectConfig — update the configuration file with the list of servers for reverse connections.
- Load — load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs for web injects