{"description": "Enterprise techniques used by KV Botnet Activity, ATT&CK campaign C0035 (v1.0)", "name": "KV Botnet Activity (C0035)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.008", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) gathers a list of filenames from the following locations during execution of the final botnet stage: \\/usr\\/sbin\\/, \\/usr\\/bin\\/,  \\/sbin\\/, \\/pfrm2.0\\/bin\\/, \\/usr\\/local\\/bin\\/.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) altered permissions on downloaded tools and payloads to enable execution on victim machines.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.013", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) leveraged a bind mount to bind itself to the `/proc/` file path before deleting its files from the `/tmp/` directory.(Citation: Lumen KVBotnet 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) included the use of scripts to download additional payloads when compromising network nodes.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) involves changing process filename to pr_set_mm_exe_file and process name to pr_set_name during later infection stages.(Citation: Lumen KVBotnet 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) installation steps include first identifying, then stopping, any process containing [kworker\\/0:1], then renaming its initial installation stage to this process name.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) command and control traffic uses a non-standard, likely custom protocol for communication.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "Scripts associated with [KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.009", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) final payload installation includes mounting and binding to the \\/proc\\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) involved removal of security tools, as well as other identified IOT malware, from compromised devices.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) gathers victim IP information during initial installation stages.(Citation: Lumen KVBotnet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KV Botnet Activity", "color": "#66b1ff"}]}