February 22, 2022 Editor’s Note: Since conducting his initial research, ZeroFox Intelligence Researcher Stephan Simon has uncovered additional details about the operators and the botnet. Updates have been published here.
In late October 2021, ZeroFox Intelligence discovered a previously unknown botnet called Kraken. Though still under active development, Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system. It currently makes use of SmokeLoader—a piece of malware used to install other malicious software—to spread, quickly gaining hundreds of bots each time a new command and control server is deployed. Despite having the same name, it should not be confused with the Kraken botnet from 2008 as they have little else in common.
Since October 2021, ZeroFox Intelligence has been tracking Kraken – a previously unknown botnet targeting Windows that is currently under active development. Although the bot is simple in functionality, the author has been experimenting with new features while altering others. Current iterations of Kraken feature the ability to:
- Maintain persistence
- Collect information about the host for registration (varies per version)
- Download and execute files
- Run shell commands
- Steal various cryptocurrency wallets
- Take screenshots
“Open Source” Beginnings
Early versions of Kraken were based on code uploaded to GitHub on October 10, 2021. The project only had two commits, and the source code pre-dated any binaries ZeroFox observed in the wild. It is not currently known if the GitHub profile belongs to the botnet’s operator or if the operator simply used the code to kickstart their development.
Observed Infection Vector
Thanks to a tip by @abuse_ch, ZeroFox learned that Kraken originally spread in self-extracting RAR SFX files downloaded by SmokeLoader. These SFX files contained a UPX-packed version of Kraken, RedLine Stealer, and another binary used to delete Kraken. Current versions of Kraken are now downloaded by SmokeLoader directly. Kraken binaries are still UPX-packed but are now further protected by the Themida packer as well.
Installation and Persistence
During Kraken’s installation phase, it attempts to move itself into %AppData%\Microsoft. The file name is hardcoded, though the author has changed it a few times. ZeroFox has observed file names such as taskhost.exe, Registry.exe, and Windows Defender GEO.exe.
To stay hidden, Kraken runs the following two commands:
- powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft
- attrib +S +H %APPDATA%\Microsoft\<EXE_NAME>
The PowerShell command tells Microsoft Defender not to scan Kraken’s installation directory, while the attrib command is used to hide the copied EXE file from an Explorer window that has not enabled the “Show hidden files, folders, and drives” option.
Kraken also makes use of the Windows Run registry key to ensure it starts every time the victim logs in.
A mix of fake and real information is stored in a new registry key under HKEY_CURRENT_USER\Software; it is all currently unused after saving it during the installation. The name of the key is another hardcoded value, though it has also changed occasionally. Early versions of Kraken observed by ZeroFox created a key with the name “Networking Service” or some slight variation, such as “Networking5 Servic1e” and “Netrworking5r Servirc1er”.
Aside from the hard-coded name for the registry key, the following information shown in Figure 4 has remained the same in every version ZeroFox has encountered in the wild:
- ID – obfuscated UUID
- INSTALL – installation timestamp
- LAST – empty
- NAME – obfuscated binary and Run key name (minus file extension)
- REMASTER – always “nil”
- VERSION – always “0.5.6”
Kraken’s feature set is simplistic for a botnet. Although not present in earlier builds, the bot is capable of collecting information about the infected host and sending it back to the command and control (C2) server during registration. The information collected seems to vary from build to build, though ZeroFox has observed the following being collected:
- Build ID (TEST_BUILD_ + the timestamp of the first run)
- CPU details
- GPU details
- Operating system and version
The botnet also features the ability to download and execute files. Originally, Kraken contained separate but similar functions for downloading files for different situations, such as updating the bot itself, executing secondary payloads, and receiving files through direct socket connection. These functions have since been combined into one, while the redundant functions were removed.
Kraken’s operators are able to run shell commands on infected hosts from the dashboard as well, returning the results back to the C2 server.
SSH brute-forcing functionality was added to some builds but was quickly removed. This function was hardcoded to attempt logging in as the root user of a given target and assumed a server would be listening on the default port. ZeroFox did not see any evidence of this feature being used, likely explaining its quick removal.
Upon execution, Kraken immediately takes a screenshot to send to the C2. A “ScreenShot” command also exists if the operator decides to take screenshots of the victim’s system on demand.
The most recent feature addition is the ability to steal various cryptocurrency wallets from the following locations:
- %AppData%\Guarda\Local Storage\leveldb
- %AppData%\atomic\Local Storage\leveldb
Currently supported commands are:
- Position – Unknown
- ScreenShot – take a screenshot
- SHELL – run a Windows shell command with cmd
- UPLOAD – download and execute an EXE
Multiple versions of the administration panel or dashboard have been created since October 2021. While the original code found on GitHub did include a server, it did not have a web-based interface for interacting with the botnet.
The initial panel, aptly named “Kraken Panel,” was simple in terms of features. It offered basic statistics, links to download payloads, an option to upload new payloads, and a way to interact with a specific number of bots. This version did not appear to allow the operator(s) to choose which victims to interact with.
The current version of the C2 has undergone a total redesign—complete with a new name, Anubis. The Anubis Panel provides far more information to the operator(s) than the original Kraken Panel. In addition to the previously provided statistics, it is now possible to view command history and information about the victim.
A later update to the Anubis Panel added the ability for the operator(s) to be more selective when choosing targets for commands. In previous versions, the operator(s) could only choose the number of victims to target with the command. With this update, targets can be chosen individually or by group using their external IP or geographic location.
The Anubis Panel also allows the operator(s) to view task and command history via the dashboard and TASK page. The TASK page shows information such as the ID generated for the task, the command being sent, how many victims the command should be sent to, the targeted geolocation, and a timestamp of when the task was initiated.
Initially, every task investigated by ZeroFox resulted in a version of RedLine Stealer being downloaded and executed on the victim’s machine. Some shell commands were observed as well, though these were only used to download more RedLine payloads using curl.
As the operator(s) behind Kraken continued to expand and gather more victims, ZeroFox began observing other generic information stealers and cryptocurrency miners being deployed. As of this writing, the botnet appears to be collecting around USD 3,000 every month.
- Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
- Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
- Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
- Avoid opening unsolicited attachments and never click suspicious links.
- Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
- Review network logs for potential signs of compromise and data egress.
While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP. By using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2. Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet.
|T1027.002||Obfuscated Files or Information: Software Packing|
|T1033||System Owner/User Discovery|
|T1047||Windows Management Instrumentation|
|T1059.001||Command and Scripting Interpreter: PowerShell|
|T1059.003||Command and Scripting Interpreter: Windows Command Shell|
|T1082||System Information Discovery|
|T1132.001||Data Encoding: Standard Encoding|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|