KBOT Virus Spreads Through Injecting Code into Executables

Delaware, USA – February 12, 2020 – In recent years, classically viruses have become a thing of the past, now fileless malware, abuse of Cloud Services, and steganography are in fashion. The arms race between cybercriminals and cybersecurity vendors is in full play, but relics of the past every once in a while are brought to light. KBOT was discovered and analyzed by Kaspersky Lab, it is a virus that spreads through injecting malicious code into Windows executables. “It is the first“ living ”virus in recent years that we have spotted in the wild,” researchers say. “The KBOT virus poses a serious threat, because it is able to spread quickly in the system and on the local network by infecting executable files with no possibility of recovery. It significantly slows down the system through injects into system processes, enables its handlers to control the compromised system through remote desktop sessions, steals personal data, and performs web injects for the purpose of stealing users’ bank data.”

The virus writes itself to Startup and the Task Scheduler to achieve persistence and then uses web injects to steal the victim’s banking and personal data. It can download additional modules to collect and exfiltrate sensitive data: credentials, cryptowallet data, lists of files and installed applications, and so on. The KBOT is hard to spot because it uses multiple obfuscation tools and techniques to hide its activity and hides all its files and stolen data in a virtual file system encrypted using the RC6 algorithm. You can use Sysmon Framework rule pack to spot signs of this virus in your corporate network. The rule pack enables your security platform to uncover cyberattacks that bypass traditional detection tools: https://my.socprime.com/en/integrations/sysmon-framework