Keypoints
- KV‑botnet comprises two clusters (KV and JDY) targeting end‑of‑life SOHO devices (NETGEAR ProSAFE, Cisco RV320/RV325, DrayTek, Axis cameras) since at least Feb 2022.
- Infection is multi‑stage: kv-all.sh removes security tools/other malware, downloads architecture‑specific binaries (kv-{arch}), then runs cli_download_{architecture} to inject a 64‑bit ELF payload (a.elf) into memory and bind it to /proc.
- Primary payload performs host evasion (renaming processes, killing competing tools), creates an ephemeral listening port >30000, inserts iptables NAT/ACL rules, and establishes tunneling/proxy functionality for data transit.
- Custom C2 protocol uses structured beacon packets (0x16 header, size fields, blob + RSA public key validation) and a TLS‑like handshake to validate keys and exchange encrypted commands.
- Operators favor in‑memory execution (deletes disk artifacts), hands‑on‑keyboard exploitation windows (payload servers accept connections for ~1 hour), and rotating VPS/C2 infrastructure (X.509 artifacts: “BBC”, later “jdyfj”).
- Telemetry links KV activity to higher‑value targeting (ISPs, telcos, Guam territorial gov’t, European renewable energy firm) and shows overlap with Volt Typhoon infrastructure and timelines.
- IOCs include IPs (e.g., 155.138.146.162, 45.11.92.176), filenames (kv-all.sh, kv-mips, a.elf, bioset3, mips_ff), ports (8443, 5555, 9999, ephemeral >30000), and device models used as relays.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – used to gain initial access to SOHO routers; quote: ‘the initial infection process begins with running the kv-all.sh bash script.’
- [T1105] Ingress Tool Transfer – used to download architecture-specific binaries and modules; quote: ‘the bash script downloads and runs a file, “kv-{architecture}”’
- [T1055] Process Injection – payload injects and runs ELF payloads in memory and binds to /proc to avoid disk remnants; quote: ‘the downloaded executable (a.elf) contains parameters to mount and bind itself to the /proc/ file path.’
- [T1027] Obfuscated Files or Information – in-memory execution and deletion of files to hinder recovery and detection; quote: ‘after the malicious files were loaded into memory and bound to the running process, the actor deleted those files from disk to impede recovery and detection efforts.’
- [T1188] Command and Control: Multi-hop Proxy – use of compromised SOHO devices as relay/proxy nodes and VPS orchestration to hide upstream C2; quote: ‘NETGEAR ProSAFE firewalls acting as relay nodes for networks compromised by a threat group’
- [T1219] Remote Access Software – creation of tunnels, remote shells and ports to enable remote commands and file transfer; quote: ‘ability to upload/download files, run commands, and execute additional modules.’
- [T1007] System Service Discovery – malware enumerates and kills specific security and competing malware processes (httpd_watchdog, firewallsd, mips_ff); quote: ‘The bash script proceeds to remove various security programs … and seeks out and removes a file name “mips_ff”.’
- [T1016] System Network Configuration Discovery – malware runs uname and gathers host IP and CPU utilization to select appropriate payload; quote: ‘the malware runs the “uname” command to obtain information about the architecture of the host machine.’
- [T1078.003] Valid Accounts: Local Accounts – targeting of SOHO devices and likely use of default or common credentials for access; quote: ‘targeting of SOHO routers and devices that may rely on common default passwords suggests the exploitation of local accounts.’
Indicators of Compromise
- [IP Addresses] C2/payload servers and VPS observed – 155.138.146.162 (payload/callback examples), 45.11.92.176 (payload server observed rotating), and other rotating VPS addresses.
- [File names/Binaries] malware install chain and payloads – kv-all.sh, kv-mips (architecture-specific), cli_download_{architecture}/bioset{#}, a.elf, and mips_ff (competing botnet binary).
- [Device models] infected/abused hardware – NETGEAR ProSAFE, Cisco RV320/RV325, DrayTek Vigor routers, Axis cameras (M1045-LW, M1065-LW, p1367-E).
- [Ports] networking/tunneling and service ports – port 30203 (example ephemeral port generated by payload), port 8443 (long‑lived data transfers), and ports 5555/9999 used in CLI args.
- [X.509 Certificates] proxy node artifacts used for correlation – “BBC” certificate (Feb 2022–Nov 2023) and newer “jdyfj” certificate observed in Nov 2023.
The KV infection chain is a staged process that starts with a bash installer (kv-all.sh) which kills competing processes (e.g., mips_ff, httpd_watchdog, firewallsd), enumerates host architecture via uname, and downloads architecture-specific binaries (kv-{architecture}). Those binaries change their process name (masquerading as kworker), check for and kill common download/installer processes (wget, curl, tftp, lua) unless they include a ‘bioset’ marker, then execute a cli_download_{architecture} helper which writes a bioset{#} file and launches a 64‑bit payload (a.elf) that is injected into memory and mount‑bound to /proc before disk files are deleted.
Once resident, the primary payload performs host‑based evasion (randomizing filename, monitoring and killing competing processes), opens a randomly selected high port (>30000), and uses libevent to listen and process messages. It programmatically checks and inserts iptables NAT/ACL rules for the chosen port, then beacons to C2 via a custom binary protocol (initial byte 0x16, defined size fields, state flags and a 32‑byte random blob). The agent validates an RSA public key returned by the server and completes a TLS‑like handshake (packets starting 0x17) before exchanging encrypted payloads and commands.
The bot supports three command channels (C2 command‑line, commands via the open port, and shared commands) enabling updates to C2 IP/port, opening additional sockets for tunneling/proxying, file upload/download, remote shell execution, and sending data to arbitrary IP:ports. Operational telemetry shows hands‑on‑keyboard exploitation windows (payload servers accepting connections for about an hour), rotating proxy infrastructure (BBC → jdyfj certificates), and the use of infected SOHO devices as multi‑hop relays for covert data transfer to upstream hidden services.