United States federal agencies have released a joint advisory warning of a custom remote access trojan (RAT) deployed by a China-linked threat actor. The malware, named KV-botnet, is being used for long-term persistence on the networks of compromised US organizations.
The warning was issued by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).
Volt Typhoon and the KV-botnet Malware
The advisory attributes the activity to a China-sponsored advanced persistent threat (APT) group known as Volt Typhoon. This group is also tracked under other names, including Bronze Silhouette, Dev-0391, and Vanguard Panda.
The KV-botnet malware infects routers, virtual private networks (VPNs), and firewalls, with a focus on devices from Cisco, Netgear, and Zyxel. By compromising these small office/home office (SOHO) and medium-sized business (SMB) network devices, Volt Typhoon creates a botnet.
This botnet is used to conceal command and control (C2) traffic and data exfiltration from compromised US critical infrastructure networks. The technique allows the threat actor to hide their origin and blend their malicious activities with legitimate network traffic.
Targeting US Critical Infrastructure
The campaign specifically targets organizations within the communications, energy, transportation, and water/wastewater systems sectors in the United States and its territories. According to the federal agencies, the actors are pre-positioning themselves on IT networks for the purpose of disrupting critical communications between the US and the Asia region during future crises.
This latest alert follows a May 2023 warning from Microsoft and intelligence agencies from the Five Eyes alliance about Volt Typhoon’s activities targeting critical infrastructure in the US. The joint advisory includes technical details, indicators of compromise (IoCs), and mitigation guidance for network defenders.
Concise Cyber 