In late October 2021, ZeroFox Intelligence disclosed a botnet called Kraken. Kraken propagates through SmokeLoader, scaling up each time the attack infrastructure is updated. Despite having the same name as the Kraken botnet discovered in 2008, they have nothing in common.
function
The Kraken botnet has been actively developing against Windows since October 2021. Although the functionality of the bot is relatively simple, the attackers are constantly updating. Its typical functions are as follows:
Persistence
Collect host information
Download and execute the program
Remote command execution
Steal cryptocurrency wallets
Screenshots
“Open Source” Beginnings
An earlier version of Kraken was uploaded to GitHub on October 10, 2021, and the source code for that version predates any samples. But it’s unclear whether the code on GitHub was part of the attackers, or if the attackers simply exploited the code for development.
infect
Kraken propagates in a self-extracting RAR SFX file downloaded by SmokeLoader. The SFX file contains a UPX-packed Kraken, a RedLine Stealer, and a program for removing Kraken. Subsequent versions used THEMIDA for packing in addition to UPX.
Persistence
Kraken moves itself to %AppData%Microsoft. File names are hard-coded, such as taskhost.exe, Registry.exe, and Windows Defender GEO .exe.
To persist in hiding, Kraken runs the following two commands:
powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft
attrib +S +H %APPDATA%\Microsoft\
The name of the registry key value is another hard-coded value, the early version was called Networking Service, and later networking5 Servic1e, Networking5r Servirc1er, etc. were used.
What remains unchanged in each release is:
ID: Obfuscated UUID
INSTALL: Installation timestamp
LAST: Empty
NAME: Obfuscated file and run key
REMASTER:nil
VERSION:0.5.6
features
Kraken’s functionality is still very simple compared to other botnets, mainly passing information about the trapped host back to the C&C server. The information collected is as follows:
host name
The user name
Build ID (TEST_BUILD_ + timestamp of the first run)
CPU information
GPU information
Operating system and version
Kraken was originally only used to download files for functions such as updating bots, performing Payload, and receiving files, but has been merged into one in the latest version.
Attackers had also added SSH blasting capabilities, but this was quickly removed. The C&C server sends the ScreenShot command, and the sample takes a screenshot of the system.
The most recently added feature is stealing cryptocurrency wallets:
%AppData%\Zcash
%AppData%\Armory
%AppData%\bytecoin
%AppData%\Electrum\wallets
%AppData%\Ethereum\keystore
%AppData%\Exodus\exodus.wallet
%AppData%\Guarda\Local Storage\leveldb
%AppData%\atomic\Local Storage\leveldb
%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
The currently supported commands are:
Position
ScreenShot
SHELL
UPLOAD
control panel
Since October 2021, the Control Panel has been updated with many versions. Although the source code on GitHub contains the code of the C&C server, it does not contain the Control Panel.
Kraken
The original panel was the Kraken panel, which provided basic statistics, uploading and downloading Payloads, and interacting with bulk managed hosts.
Anubis
The current control panel is the Anubis panel, which provides much more information than the original panel. You can view historical command records with information about the victim.
The Anubis panel adds the ability to select targets to execute in subsequent updates, which gives you more granular control over the targets of attack.
As the Kraken botnet continues to grow in size and other information theft and mining programs are being deployed, botnet mining revenue is about $3,000 a month.
conclusion
Kraken’s activity was once attenuated, but in a short time, it would enable new ports or new C&C servers. By monitoring commands, attackers focus on deploying information stealers, specifically RedLine Stealer.
MITRE ATT&CK
| ID | Description |
| T1027.002 | Obfuscated Files or Information: Software Packing |
| T1033 | System Owner/User Discovery |
| T1047 | Windows Management Instrumentation |
| T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1082 | System Information Discovery |
| T1113 | Screen Capture |
| T1132.001 | Data Encoding: Standard Encoding |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1571 | Non-Standard Port |
IOCs
65.21.105.85
91.206.14.151
95.181.152.184
185.112.83.22
185.112.83.96
185.206.212.165
213.226.71.125
1d772f707ce74473996c377477ad718bba495fe7cd022d5b802aaf32c853f115
d742a33692a77f5caef5ea175957c98b56c2dc255144784ad3bade0a0d50d088
ddf039c3d6395139fd7f31b0a796a444f385c582ca978779aae7314b19940812
dcaaef3509bc75155789058d79f025f14166386cec833c2c154ca34cfea26c52
54d36e5dce2e546070dc0571c8b3e166d6df62296fa0609a325ace23b7105335
095c223b94656622c81cb9386aefa59e168756c3e200457e98c00b609e0bb170
0f0cabb24d8cc93e5aed340cfc492c4008509f1e84311d61721a4375260a0911
2ced68e4425d31cca494557c29a76dfc3081f594ff01549e41d2f8a08923ef61
3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
ef3e0845b289f1d3b5b234b0507c554dfdd23a5b77f36d433489129ea722c6bb
7c76ca5eb757df4362fabb8cff1deaa92ebc31a17786c89bde55bc53ada43864
48c2f53f1eeb669fadb3eec46f7f3d4572e819c7bb2d39f22d22713a30cc1846
43f46a66c821e143d77f9311b24314b5c5eeccfedbb3fbf1cd484c9e4f537a5d
8c4294e3154675cd926ab6b772dbbe0e7a49cae16f4a37d908e1ca6748251c43
