Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken that’s under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts.
“Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system,” threat intelligence firm ZeroFox said in a report published Wednesday.
Discovered first in October 2021, early variants of Kraken have been found to be based on source code uploaded to GitHub, although it’s unclear if the repository in question belongs to the malware’s operators or if they simply chose to start their development using the code as a foundation.
The botnet – not to be confused with a 2008 botnet of the same name – is perpetuated using SmokeLoader, which chiefly acts as a loader for next-stage malware, allowing it to quickly scale in size and expand its network.
Kraken is said to constantly evolve, as its developers alter existing functions and add new ones. Current iterations of the botnet come with functions to maintain persistence, download files, run shell commands, and steal from different cryptocurrency wallets.
The wallets targeted include Armory, Atomic Wallet, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. Also consistently downloaded and executed on the machine is the RedLine Stealer, which is used to harvest saved credentials, autocomplete data, and credit card information from web browsers.
The botnet also comes with an admin panel which allows the threat actor upload new payloads and interact with specific bots. It can also view the command history of the victim and other information.
Over time, Kraken has also emerged as a conduit for the deployment of other generic information stealers and cryptocurrency miners, netting the botnet operators around $3,000 every month. Researchers concluded that it is not known what operator plans to do with stolen credentials or the ultimate goal of creating the new botnet.