ISP Sinkholes Kimwolf Servers Amid Surge in Bot Traffic

A leading U.S. internet service provider has reported blocking incoming traffic to over 550 command and control servers associated with botnets identified in recent months, particularly those managing the Kimwolf and Aisuru botnets.

Research from cybersecurity startup Synthient indicates that the Kimwolf botnet has expanded to encompass at least 2 million compromised devices, utilizing a unique method that begins by hacking previously compromised Android TV set-top boxes. Operators exploit vulnerabilities in Android devices, which may already harbor malware, effectively converting them into residential proxies. These proxies enable cybercriminals to mask their malicious activities by routing traffic through what appears to be legitimate household devices, avoiding detection.

Investigations reveal that Kimwolf operators specifically scan for devices with exposed Android Debug Bridge (ADB) services, a tool typically used by developers to remotely access Android systems. Notably, Kimwolf is seen as a successor to the Aisuru botnet, with both likely operated by the same cybercrime entities, according to findings by Chinese cybersecurity firm Xlab.

The rapid proliferation of the Kimwolf botnet was documented by Black Lotus Labs, which noted a staggering increase in the daily average of bots from 50,000 to 200,000 in a short window. This expansion is attributed to its approach of leveraging network settings to infect multiple devices within a local area, making it easier to add new devices to its operational network.

Furthermore, Synthient’s research outlines that Kimwolf’s operators have been engaging in the resale of proxy bandwidth, and there was a significant spike in bot additions during October, ultimately peaking at 800,000 total bots. Most of these new additions were advertised for sale on a single residential proxy provider.

While scanning for vulnerable devices, Kimwolf’s command and control infrastructure displayed a level of sophistication, as evidenced by a specific server phrase that exceeded Google.com in popularity rankings on Cloudflare during October.

Network security firm Infoblox reported that a significant percentage of its cloud customers had made queries to known Kimwolf domains since the beginning of October, underscoring the gravity of this threat and suggesting widespread potential exposure among affected organizations.

In terms of MITRE ATT&CK tactics applicable to this incident, adversary techniques such as initial access via exploitation of public-facing applications and persistence through malware installation could have been employed. The ability to escalate privileges through the exploitation of vulnerable ADB services also signals an advanced awareness of system architecture by these criminal actors. As the pursuit continues, cybersecurity firms and federal agencies are escalating their efforts to combat the proliferation of residential proxies fueled by compromised consumer devices, particularly those originating from compromised supply chains.