Kraken botnet bypass Windows Defender to steal crypto wallet data

Kraken botnet utilizes SmokeLoader malware, and its operators have already been raking in around $3,000 per month.

eroFox Intelligence’s cybersecurity researchers have discovered a new botnet that is under active development and used by threat actors to deploy backdoors to steal sensitive data.

Dubbed Kraken botnet by researchers; it is quickly spreading and adding more backdoors and infostealers. It is worth noting that Kraken botnet has no connection with the Kraken botnet discovered in 2008 or San Francisco, California-based Kraken cryptocurrency exchange and bank.

Multiple Variants of Kraken Botnet Detected

The Golang-based botnet is reportedly targeting Windows hosts to steal sensitive information. It was detected in October 2021, and many variants have been identified since then. These variants were based on an open-source code uploaded to GitHub.

Despite the botnet being still under development, it boasts an expensive array of capabilities. It was initially deployed as a self-extracting RAR SFX file; however, in its recent variants, Kraken gets directly downloaded through the backdoor.

Details of the Malware Loader

According to ZeroFox’s report published on Wednesday, Kraken botnet utilizes SmokeLoader malware, and its operators have already been raking in around $3,000 per month. Using SmokeLoader, Kraken has added hundreds of new bots every time a new C2 server is deployed.

However, researchers aren’t sure whether the earlier variants of Kraken malware uploaded on the GitHub profile belong to the botnet’s operators or just used the code to start its development.

Kraken botnet skips Windows Defender scan to steal crypto wallet data
C2 panel of the Kraken botnet (Image credit: ZeroFox Intelligence)

More Botnet & Malware news

  1. Botnet Abusing Bitcoin Blockchain To Evade Detection
  2. BotenaGo botnet malware targeting millions of IoT devices
  3. Google disrupts Glupteba blockchain botnet that infected 1mn PCs
  4. Prometei botnet uses NSA exploit, hits unpatched MS exchange servers
  5. 9-year-old Windows flaw abused to drop ZLoader malware in 111 countries

How Kraken Evades Detection?

The botnet evades detection by executing two commands, one of which instructs Microsoft Defender (formally Windows Defender) not to scan its installation folder while the second command instructs it to set the hidden attribute to the copied .exe file. Kraken also inserts a particular Windows Run registry key to execute it each time the victim logs in.

Kraken Functionalities

Kraken’s developers have added several capabilities to the botnet. Such as, it can steal funds from different cryptocurrency wallets, execute secondary payloads and run shell commands on the infected system, capture screenshots, obtain information about the registration host, and maintain persistence on the compromised system.

Protection against Kraken botnet

If you are on Windows watch out for the Kraken botnet attack. If you keep crypto wallet-related data on your device then be extra careful and keep your antivirus software up to date.

Furthermore, learn how to spot a phishing email, avoid clicking links sent by an anonymous sender and only visit websites that you trust. Under suspicious circumstances, use VirusTotal to scan malicious files and links.

Related Posts