New KV-Botnet Targets Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

December 15, 2023NewsroomBotnet / Advanced Persistent Threats

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the actor a threat linked to China called Volt Typhoon.

Dubbed KV-botnet of the Black Lotus Labs team of Lumen Technologies, the malicious network is a combination of two complementary activity clusters active since February 2022.

“The campaign infects devices inside networks, a feature that has emerged as a soft spot in the defense array of many businesses, compounded by the shift to remote work in recent years,” the company SAYS.


Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join now

The two clusters – codenamed KY and JDY – are said to be separate but work in tandem to facilitate access to high-profile victims as well as build clandestine infrastructure. Telemetry data suggests that the botnet is sourced from IP addresses based in China.

While the JDY component bots engage in broader scanning using less sophisticated techniques, the KY component, which contains mostly obsolete and end-of-life products, is roughly reserved for manual operations against high-profile targets selected in advance.

It is suspected that Volt Typhoon is at least one user of the KV-botnet and it constitutes a subset of their operational infrastructure, which is confirmed by the noticeable decrease in operations in June and early July 2023, along with the disclosure to the public in the adversarial collective’s. target US critical infrastructure

Microsoft, which first disclosed the threat actor’s tactics, said it “attempted to interfere with normal network activity by routing traffic through compromised small offices and home offices (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial process of the infection mechanism used to break the devices is currently unknown. This is followed by first-stage malware that takes steps to remove security programs and other types of malware to ensure that it is the “only presence” on these machines.


It is also designed to receive the main payload from a remote server, which, in addition to beaconing back to the same server, is also able to upload and download files, run commands, and execute additional modules.

Last month, the botnet’s infrastructure received a change, targeting Axis IP cameras, indicating that operators may be preparing for a new wave of attacks.

“One of the most interesting aspects of this campaign is that all devices appear to be completely in memory,” the researchers said. “This makes detection very difficult, at the expense of long-term sustainability.”

“While the malware lives entirely in memory, only by power-cycling the device the end user can stop the infection. While that removes the imminent threat, re-infection occurs frequently.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment