The blog post from Lumen Technologies' Black Lotus Labs discusses the KV-botnet, a botnet targeting small office/home office (SOHO) routers. This botnet, active since at least February 2022, is sophisticated with a complex infection process and a well-concealed command-and-control framework. It targets end-of-life routers, primarily Cisco RV320s, DrayTek Vigor routers, NETGEAR ProSAFE devices, and Axis IP cameras. The investigation reveals links to a Chinese state-sponsored actor and suggests the botnet's use in espionage and information gathering. For more details, you can read the full article at Lumen Technologies' blog.
IoC
DOMAIN
- 2fgithub.com
IPv4
- 66.42.124.155
- 45.156.21.172
- 216.128.180.232
- 193.36.119.48
- 174.138.56.21
- 159.203.72.166
- 159.203.113.25
- 144.202.49.189
- 144.202.43.124
REFERENCES
- https://github.com/blacklotuslabs/IOCs/blob/main/KVbotnet_IOCs.txt
- https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
- https://otx.alienvault.com/pulse/657b0af55af290155cda7016
TAGS
volt typhoon, prosafe, soho, kvbotnet, netgear prosafe, black lotus, cluster, syscall, sha256, payload server, accellion fta, lumen ip, mips, hiatusrat
No comments:
Post a Comment