{"id":88926,"date":"2024-07-18T09:20:37","date_gmt":"2024-07-18T16:20:37","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=88926"},"modified":"2024-08-16T06:35:04","modified_gmt":"2024-08-16T13:35:04","slug":"emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/","title":{"rendered":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants"},"content":{"rendered":"<h2>What Is Wiper Malware?<\/h2>\n<p>Wipers are malware that delete data on a device or make it inaccessible. They can be used for sabotage, to destroy evidence of an attack or simply to make a device unusable. IoT wipers often rewrite important parts of the firmware of an IoT device, rendering that device useless, so they are also known as \u201cbrickers\u201d.<\/p>\n<p>Recent notorious examples of IoT wipers are <a href=\"https:\/\/www.sentinelone.com\/labs\/acidrain-a-modem-wiper-rains-down-on-europe\/\" target=\"_blank\" rel=\"noopener\">AcidRain<\/a> which was used by a Russian APT to brick satellite modems in Europe at the outset of the Russian invasion of Ukraine in 2022. \u00a0<a href=\"https:\/\/www.sentinelone.com\/labs\/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine\/\" target=\"_blank\" rel=\"noopener\">AcidPour<\/a>, a newer variant of AcidRain, was used in attacks against Ukrainian telecommunication networks in 2024. However, IoT wipers have existed since at least 2017. <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/py.brickerbot\" target=\"_blank\" rel=\"noopener\">Brickerbot<\/a> is the first known example.<\/p>\n<div style=\"display: block; margin: 10px; border-top: 1px solid #CCCCCC; border-bottom: 1px solid #CCCCCC; padding: 10px;\">\n<h4>Riskiest Connected Devices in 2024 \u2013 IT, IoT, OT, IoMT<\/h4>\n<p class=\"u-display-flex u-flex-wrap u-gap\"><a href=\"\/webinars\/2024-riskiest-devices\/\"  title=\"Register For The Webinar\" class=\"c-btn c-btn--primary has-icon icon-camera icon-position-right has-icon-animation icon-animation-pulse\"><span class=\"cta-button-text\">Register For The Webinar<\/span><\/a> <a href=\"\/resources\/2024-riskiest-connected-devices\/\"  title=\"Access The Full Report\" class=\"c-btn c-btn--primary c-btn--outline u-flex-auto u-flex-initial@sm u-justify-center u-justify-start@sm has-icon icon-arrow-right icon-position-right has-icon-animation icon-animation-fade-in\" target=\"new\"><span class=\"cta-button-text\">Access The Full Report<\/span><\/a>\n<\/div>\n<p>Here, we show how we used past examples of IoT wipers to find emerging wiper behavior on two botnets that we believe are currently under development:<\/p>\n<ul>\n<li>A <strong>new botnet<\/strong> that we dub \u2018Kaden botnet\u2019 based on strings found in the samples analyzed. This malware mixes and matches parts of previous botnet clients, adds a specific signature and includes a wiping function that is not yet in use.<\/li>\n<li>A <strong>new variant<\/strong> of the <a href=\"https:\/\/blog.nsfocus.net\/keksec-lolfme\/\" target=\"_blank\" rel=\"noopener\">LOLFME<\/a> botnet originally attributed to the KekSec team. This variant retains functionality similar to previous wipers and introduces a new behavior: Wiping a device if it fails to communicate with a C2 IP address.<\/li>\n<\/ul>\n<p>We analyze these botnets to extract indicators of compromise and gather intelligence about their authors.<\/p>\n<p>This research reveals wipers are a growing threat that organizations should not overlook. Significant attention is focused on malware like <a href=\"\/blog\/2022-threat-roundup-the-emergence-of-mixed-itiot-threats\/\">DDoS botnets and cryptominers on IoT devices<\/a>. Defending against IoT wipers is particularly crucial for those in critical infrastructure sectors that are often <a href=\"\/resources\/threat-report-the-increasing-threat-posed-by-hacktivist-attacks\/\">targeted by opportunistic attackers<\/a>.<\/p>\n<h3>Finding New IoT Wiper Malware Botnets<\/h3>\n<p>We began by compiling a collection of 25 known IoT wiper samples:<\/p>\n<ul>\n<li>1 sample each of <a href=\"https:\/\/www.sentinelone.com\/labs\/acidrain-a-modem-wiper-rains-down-on-europe\/\" target=\"_blank\" rel=\"noopener\">AcidRain<\/a>, <a href=\"https:\/\/www.sentinelone.com\/labs\/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine\/\" target=\"_blank\" rel=\"noopener\">AcidPour<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/py.brickerbot\" target=\"_blank\" rel=\"noopener\">Brickerbot<\/a> and <a href=\"https:\/\/www.zdnet.com\/article\/new-heh-botnet-can-wipe-routers-and-iot-devices\/\" target=\"_blank\" rel=\"noopener\">HEH<\/a><\/li>\n<li>5 samples of <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.vpnfilter\" target=\"_blank\" rel=\"noopener\">VPNFilter<\/a><\/li>\n<li>9 samples of <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.silex\" target=\"_blank\" rel=\"noopener\">Silex<\/a><\/li>\n<li>7 samples of <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.handymannypot\" target=\"_blank\" rel=\"noopener\">HandyMannyPot<\/a><\/li>\n<\/ul>\n<p>To identify new IoT malware with wiping capabilities, we developed a YARA rule that captures the known wiping behavior from the samples above. These behaviors include deleting data, writing junk data on specific device paths, and rebooting devices. The figure below summarizes the conditions included in that rule.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-88929\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/IoT-malware-with-wiping-capabilities.jpg\" alt=\"\" width=\"1200\" height=\"256\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/IoT-malware-with-wiping-capabilities.jpg 1200w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/IoT-malware-with-wiping-capabilities-300x64.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/IoT-malware-with-wiping-capabilities-1024x218.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/IoT-malware-with-wiping-capabilities-768x164.jpg 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/p>\n<p><!-- insert Table --><\/p>\n<p>We deployed this rule on VirusTotal\u2019s RetroHunt to identify files submitted between February and May 2024 that exhibited the expected wiping behavior. The hunt yielded eight matches:<\/p>\n<ul>\n<li>Three samples appeared to be a variant of KekSec\u2019s LOLFME botnet, based on a quick string analysis.<\/li>\n<li>Five samples contained an intriguing string \u201cKADENBOTNET\u201d which did not correspond to any previously known wiper or botnet family.<\/li>\n<\/ul>\n<p>Subsequently, we <a href=\"https:\/\/www.virustotal.com\/gui\/search\/type%253Aelf%2520and%2520content%253A%2522KADENBOTNET%2522\/files\" target=\"_blank\" rel=\"noopener\">searched for the \u201cKADENBOTNET\u201d<\/a> string in VirusTotal files up to May 2024 and conducted a LiveHunt with our YARA rule from May to the end of June 2024. In total, we discovered the following 22 samples of the Kaden botnet:<\/p>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\" style=\"font-size: 10px;\">\n<table>\n<tbody>\n<tr>\n<th><strong>Sample<\/strong><\/th>\n<th><strong>Most recent submission<br \/>\ndate and location<\/strong><\/th>\n<th><strong>C2 IP<\/strong><\/th>\n<th><strong>Downloader IP<\/strong><\/th>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">0cb0872edf98d32320328a92b2d1a563ecdcea398866d0b3f2b67b016b010636<\/td>\n<td>2023-09-23 11:49:02 UTC\n<p>(China)<\/td>\n<td style=\"font-size: 10px;\">185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">735db56fc9b889422c0cc2921438812fb4b0f54e17c47ca03327880ba587f8e1<\/td>\n<td>2023-11-19 02:20:41 UTC\n<p>(Taiwan)<\/td>\n<td style=\"font-size: 10px;\">185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">e214ae9fc129d5bb3e5d9f08435d98cc8d41a5e4d84b5e95353fb6faa1720825<\/td>\n<td>2023-12-07 14:48:48 UTC\n<p>(United States)<\/td>\n<td style=\"font-size: 10px;\">185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">1939dce51318d20c9b48b71421882e31bc11a199f0001bd33a27086f0a17d909<\/td>\n<td style=\"font-size: 10px;\">2024-02-27 20:20:42 UTC\n<p>(France)<\/td>\n<td style=\"font-size: 10px;\">107.191.110[.]183<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">bf3b5884b6204194a983bb088ba58ba5ef9b88cdaa7c852640bd67e00619d5ed<\/td>\n<td style=\"font-size: 10px;\">2024-04-29 07:28:07 UTC\n<p>(China)<\/td>\n<td style=\"font-size: 10px;\">93.104.209[.]253<\/td>\n<td style=\"font-size: 10px;\">hxxp:\/\/68.183.172[.]34\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">a6a35cc9336cd6db225ef3617855fec1117b78c778c5655192c125107e4f58e2<\/td>\n<td style=\"font-size: 10px;\">2024-04-29 07:28:08 UTC\n<p>(China)<\/td>\n<td>93.104.209[.]253<\/td>\n<td>hxxp:\/\/68.183.172[.]34\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">86ed7f04a518926ce776376a374fcd9245e638687b9db11e8c84abe484c7159c<\/td>\n<td>2024-04-29 07:28:10 UTC\n<p>(China)<\/td>\n<td>93.104.209[.]253<\/td>\n<td>hxxp:\/\/68.183.172[.]34\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">9fa8c4e982e6f094ba481758b2065ce1ccd5e58aa39809059af9b558eca39cc3<\/td>\n<td>2024-04-29 07:28:15 UTC\n<p>(China)<\/td>\n<td>93.104.209[.]253<\/td>\n<td>hxxp:\/\/68.183.172[.]34\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">ce1ea5ab42c12484a73ea403eba2c69a316f1e03371f9d313ac64fb61f1f8cff<\/td>\n<td>2024-04-30 06:03:02 UTC\n<p>(China)<\/td>\n<td>185.158.249[.]147<\/td>\n<td>hxxp:\/\/46.36.37[.]3\/it.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">11711729a95e4f4d9627d4bfdc955d3cd26e4c75751f3a90a96a0f89623ccdab<\/td>\n<td>2024-04-30 06:03:04 UTC\n<p>(China)<\/td>\n<td>185.158.249[.]147<\/td>\n<td>hxxp:\/\/46.36.37[.]3\/it.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">e0dd29ada021b45d8e5e17d8851f2d7fd320685aa8bbbbb124428b8918f6ac30<\/td>\n<td>2024-04-30 06:03:06 UTC\n<p>(China)<\/td>\n<td>185.158.249[.]147<\/td>\n<td>hxxp:\/\/46.36.37[.]3\/it.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">49addddb7fbfa9717a0f4cabe88dc0570778eee33a086b2e2c8bfdf9d91eec68<\/td>\n<td>2024-04-30 06:03:07 UTC\n<p>(China)<\/td>\n<td>185.158.249[.]147<\/td>\n<td>hxxp:\/\/46.36.37[.]3\/it.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">fb01be79fcb5489c5889c2910b55ee697bb1a544735308ab4ca5c2a26e7925ed<\/td>\n<td>2024-04-30 06:03:09 UTC\n<p>(China)<\/td>\n<td>185.158.249[.]147<\/td>\n<td>hxxp:\/\/46.36.37[.]3\/it.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">5a19f153bbd0afdf3abf83340a4c4c467fffeda09a470d7d62176265ab7bcff3<\/td>\n<td>2024-05-01 08:40:40 UTC\n<p>(China)<\/td>\n<td>194.147.35[.]56<\/td>\n<td>hxxp:\/\/194.147.35[.]56\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">c557a99d78a0adbcf5e040f71458d682d3093fd8ac3e2624b7a780a9a9e5d1bd<\/td>\n<td>2024-05-01 08:41:19 UTC\n<p>(China)<\/td>\n<td>194.147.35[.]56<\/td>\n<td>hxxp:\/\/194.147.35[.]56\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">89211225d0afe0c86fa4dc0017559e3025c3d195dbf5f53b684d9f39bcab1867\/td&gt;<\/td>\n<td>2024-05-01 08:42:19 UTC\n<p>(China)<\/td>\n<td>194.147.35[.]56<\/td>\n<td>hxxp:\/\/194.147.35[.]56\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">68f25f6b1fb02052f9e53ef86404ab733034633a0682ec13e5b80c7c80043e21<\/td>\n<td>2024-05-01 08:45:19 UTC\n<p>(China)<\/td>\n<td>194.147.35[.]56<\/td>\n<td>hxxp:\/\/194.147.35[.]56\/Okami.sh<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">425763146eb6a8a5f2da5d481b1752806032e53d83b304d08c15b010c3578508<\/td>\n<td>2024-05-02 06:07:12 UTC\n<p>(China)<\/td>\n<td>185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">b90a6b309ee29d3633a5ed9b49de78e38ce68f44a4d014977b3f8322c76a4d2d<\/td>\n<td>2024-05-02 06:08:41 UTC\n<p>(China)<\/td>\n<td>185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">44e7fef792b63debd87e8eb9636675deea29febe0107a9f708adbe5bdca1dead<\/td>\n<td>2024-05-02 06:11:03 UTC\n<p>(China)<\/td>\n<td>185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">cb139f5abd6ce16191b40ee01b0f1b10c9846469b265fab0a972bd0388a838f8<\/td>\n<td>2024-05-02 06:16:32 UTC\n<p>(China)<\/td>\n<td>185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">6103262a245fb296edf2f5c0ffc99e5a74bc4b267d304a92c934e37045811d93<\/td>\n<td>2024-05-02 06:15:35 UTC\n<p>(China)<\/td>\n<td>185.244.25[.]166<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Of the 22 samples, 18 had a single submission to VirusTotal, with 16 of those submissions originating from China. One sample (c557a99d78a0adbcf5e040f71458d682d3093fd8ac3e2624b7a780a9a9e5d1bd) had two submissions: one shown in the table, and another on April 27, 2024, also from China. Only two samples had multiple submissions: 9 for 6103262a245fb296edf2f5c0ffc99e5a74bc4b267d304a92c934e37045811d93 and 12 for 49addddb7fbfa9717a0f4cabe88dc0570778eee33a086b2e2c8bfdf9d91eec68. The earliest submission was on January 10, 2019, from France.<\/p>\n<p>Of the 22 samples, 18 had a single submission to VirusTotal, with 16 of those submissions originating from China. One sample (c557a99d78a0adbcf5e040f71458d682d3093fd8ac3e2624b7a780a9a9e5d1bd) had two submissions: one shown in the table, and another on April 27, 2024, also from China. Only two samples had multiple submissions: 9 for 6103262a245fb296edf2f5c0ffc99e5a74bc4b267d304a92c934e37045811d93 and 12 for 49addddb7fbfa9717a0f4cabe88dc0570778eee33a086b2e2c8bfdf9d91eec68. The earliest submission was on January 10, 2019, from France.<\/p>\n<p><strong>Since most of the samples were newly submitted between February and May 2024, this indicates that the botnet\u2019s development is ongoing. Another sign of its evolving capabilities is that only the last five samples include the wiping function, which matched our original YARA rule. <\/strong><\/p>\n<p>Each sample had a hardcoded C2 IP address, all of which belong to virtual private server (VPS) providers that have hosted different botnet C2s since 2019. Notably, one IP address, 185.244.25[.]166, had a distinctive domain name. In 2019, when the first samples were submitted, it resolved to alex-botnet[.]xyz, including subdomains cnc.alex-botnet[.]xyz and www.alex-botnet[.]xyz.<\/p>\n<p>Most samples also contained hardcoded downloader IP addresses, which pointed to additional malware that could be downloaded, such as the file Okami.sh which leads to an Okami botnet sample. These IP addresses have hosted numerous malicious files for several years.<\/p>\n<p>All the samples are classified as Gafgyt or Mirai by most detection engines. This is common with new botnets that are variants of known malware. As discussed in our <a href=\"\/resources\/2022-threat-roundup-report-the-emergence-of-mixed-itiot-threats\/\" target=\"_blank\" rel=\"noopener\">previous research<\/a>, classifying IoT botnet variants is challenging due to minor differences in behavior amid many similarities.<\/p>\n<h3>Wiper Malware Analysis: Kaden Botnet<\/h3>\n<p>To understand the behavior of this newly developed botnet, we analyzed the five most recent samples, that include the wiping behavior. The first notable aspect is that the botnet appears to mix and match various functions and elements from several other botnets.<\/p>\n<p>The overall structure of the bot is derived from a version of the <a href=\"https:\/\/github.com\/IIIKILLAIII\/botnet\/blob\/master\/client.c\" target=\"_blank\" rel=\"noopener\">\u201crebirth\u201d botnet client<\/a> from 2017. This structure has been used by <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread\" target=\"_blank\" rel=\"noopener\">Gafgyt<\/a> variants in the past. Many of the C2 commands found in Kaden botnet, described below, are also similar to <a href=\"https:\/\/blog.cyber5w.com\/gafgyt-backdoor-analysis\" target=\"_blank\" rel=\"noopener\">those seen in Gafgyt<\/a>.<\/p>\n<p>The client first initializes a TCP socket to a hardcoded C2 address (such as those listed in the table above). It then sends the host\u2019s build architecture (e.g., \u201cx86_64\u201d) and byte ordering (e.g., \u201cLITTLE_ENDIAN\u201d) over this connection and waits for further instructions from C2. The C2 can send one of the following instructions, which the bot will execute:<\/p>\n<ol>\n<li><strong>ICMP<\/strong> \u2013 Does nothing.<\/li>\n<li><strong>HTTP<\/strong> \u2013 Initiates an HTTP flood attack. The C2 can specify the request method, target host, port, path, attack duration and number of attacks.<\/li>\n<li><strong>HTTPHEX<\/strong> \/ <strong>HTTPTXT<\/strong> \u2013 Similar to <strong>HTTP,<\/strong> but uses a string in the form of \u201cKADENBOTNET&lt;hardcoded random string&gt;KADENBOTNET\u201d as the requested path.<\/li>\n<li><strong>UDP <\/strong>\/<strong> TCP <\/strong>\u2013 Initiates a flood attack where the C2 can choose to spoof the source IP.<\/li>\n<li><strong>STD \/ STDHEX <\/strong>\u2013 Initiates another simple UDP flood attack.<\/li>\n<li><strong>STOP<\/strong> \u2013 Halts ongoing attacks by killing forked processes.<\/li>\n<li><strong>CLEAN<\/strong> \u2013 Calls the CleanDevice() function, shown below, to remove logs and temporary files, and flush and stop iptables and firewalld. This function seems to be a slightly modified version of the <a href=\"https:\/\/github.com\/HAXanonymous23\/modded-botnet\/blob\/master\/client.c#L1827\" target=\"_blank\" rel=\"noopener\">RemoveTMP() function from yet another Mirai botnet variant<\/a>.<\/li>\n<\/ol>\n<p><a href=\"\/wp-content\/uploads\/2024\/07\/RemoveTMP-function-from-yet-another-Mirai-botnet-variant.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-88941\" src=\"\/wp-content\/uploads\/2024\/07\/RemoveTMP-function-from-yet-another-Mirai-botnet-variant.jpg\" alt=\"\" width=\"600\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/RemoveTMP-function-from-yet-another-Mirai-botnet-variant.jpg 900w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/RemoveTMP-function-from-yet-another-Mirai-botnet-variant-300x213.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/RemoveTMP-function-from-yet-another-Mirai-botnet-variant-768x544.jpg 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><br \/>\n<\/a>\n<p>The botnet client also detects and logs attempts to use of the following commands, suggesting that similar bots might respond to these commands or that they may be added in the future: BOTKILL, GTFO, LOLGTFO, and SH.<\/p>\n<p>The wiping functionality is found in a function called KillDevice() which appears to be directly sourced from <a href=\"https:\/\/www.akamai.com\/blog\/security\/sirt-advisory-silexbot-bricking-systems-with-known-default-login-credentials\" target=\"_blank\" rel=\"noopener\">Silex<\/a> since it uses the same \u201cii11II\u201d variable name. However, this function is not currently called by any C2 command indicating that the botnet is still under development.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/07\/KillDevice.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-88942\" src=\"\/wp-content\/uploads\/2024\/07\/KillDevice.png\" alt=\"\" width=\"600\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KillDevice.png 746w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KillDevice-300x130.png 300w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>In conclusion, it appears that the author of this botnet acquired a version of the \u2018rebirth\u2019 bot source code, copy-pasted and renamed some commands and added their \u2018KADENBOTNET\u2019 signature to ensure this string appears in the logs of their targets. Additionally, they were in the process of incorporating the wiping capability used by Silex.<\/p>\n<h3>Kaden Botnet: Who Is Behind It?<\/h3>\n<p>In addition to the \u201cKADENBOTNET\u201d string that led us to identify this new botnet, we discovered two other related strings in the samples: \u201cKaden1337\u201d and \u201cKaDeNTheBoTNETHeGOD\u201d. Using these strings as seeds for an investigation, we sought to determine the identity or significance of \u00a0\u2018Kaden\u2019.<\/p>\n<p>On YouTube, we found a profile named \u2018@Kaden1227\u2019 that uploaded four videos between 2018 and 2020, all related to botnets or similar activities, as shown below.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/07\/Kaden-Botnet.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-88944\" src=\"\/wp-content\/uploads\/2024\/07\/Kaden-Botnet.png\" alt=\"\" width=\"900\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet.png 2279w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet-300x135.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet-1024x460.png 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet-768x345.png 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet-1536x689.png 1536w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/Kaden-Botnet-2048x919.png 2048w\" sizes=\"(max-width: 2279px) 100vw, 2279px\" \/><\/a><\/p>\n<p>The most recent two videos advertised \u2018spots\u2019 (compromised devices) on the Okami botnet and a stresser service called ezslap[.]com facilitates launching DDoS attacks. On the video about the stresser service, the username \u2018KadenTehGod\u2019 is also visible.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/07\/KadenTehGod.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-88945\" src=\"\/wp-content\/uploads\/2024\/07\/KadenTehGod.png\" alt=\"\" width=\"900\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KadenTehGod.png 1729w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KadenTehGod-300x195.png 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KadenTehGod-1024x666.png 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KadenTehGod-768x499.png 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/KadenTehGod-1536x999.png 1536w\" sizes=\"(max-width: 1729px) 100vw, 1729px\" \/><\/a><\/p>\n<p>The most interesting video is the oldest one dated March 2018. In this video, someone demonstrates how to setup a botnet server. The person, who appears to be using their own voice, sounds like a young male with an American accent. Several indicators suggest that this individual is based in the United States:<\/p>\n<ul>\n<li>The date on the system clock in the video is \u201c3\/18\/2018,\u201d using the American date format.<\/li>\n<li>The \u201cfastest mirrors\u201d for the downloaded packages resolve to domains of American universities (e.g., mirror.umd.edu and mirror.es.its.nyu.edu). Fastest mirrors are typically influenced by geographical location.<\/li>\n<\/ul>\n<p>In the same video, \u2018Kaden\u2019 shows how he stores many of the files he sells on a website hosted at account-gen[.]xyz, which has a similar format to the alex-botnet[.]xyz domain used by one of the IPs in the recent Kaden botnet: 185.244.25[.]166. Additionally, the video shows a Discord channel called \u2018Kadens Eleet\u2019 where the username \u00a0\u2018Kaden1337\u2019 is also displayed.<\/p>\n<h2>Analysis: LOLFME Wiper Variant<\/h2>\n<p>Similar to our approach with the Kaden botnet, we ran a LiveHunt using our YARA rule from May through the end of June 2024 after conducting the RetroHunt for samples submitted between February and May. This search yielded the following four recent samples containing distinctive LOLFME strings:<\/p>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\" style=\"font-size: 10px;\">\n<table>\n<tbody>\n<tr>\n<th style=\"font-size: 10px;\">Sample<\/th>\n<th style=\"font-size: 10px;\"><\/th>\n<th style=\"font-size: 10px;\">Contacted IPs<\/th>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">ff33ce4ea04cf26ad62ca72e6b3072485ed6a5e16ee981cb471bd649b12f9494<\/td>\n<td style=\"font-size: 10px;\">(China)<\/td>\n<td style=\"font-size: 10px;\">192.3.117[.]132<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">26a494382bbfa16e8674beee16c89e5704b8abd1e1283b0fa28ec2d9d7bfebd9<\/td>\n<td style=\"font-size: 10px;\">2024-03-13 09:38:29 UTC\n<p>(United States)<\/td>\n<td style=\"font-size: 10px;\">192.3.117[.]132<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">50bdb7eee2d3f36346366fc3f2b6f6e66a24268f78e46b678fec746198715845<\/td>\n<td style=\"font-size: 10px;\">(Canada)<\/td>\n<td style=\"font-size: 10px;\">192.3.117[.]132<\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 10px;\">0b471ee1ad869b54b12efcd13ef2a024c555232a814b021c119de5e7a63789bf<\/td>\n<td style=\"font-size: 10px;\">2024-05-23 11:00:11 UTC\n<p>(India)<\/td>\n<td style=\"font-size: 10px;\">192.3.117[.].132<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>This botnet is more complex than Kaden and does not appear to incorporate functionality from several sources, instead it represents an evolution in KekSec botnet variants.<\/p>\n<p><a href=\"https:\/\/vblocalhost.com\/uploads\/VB2021-Jin-Tu.pdf\">KekSec<\/a>, a group created in 2016, is known for its experienced botnet developers. They have deployed well-known botnets such as Mirai and Gafgyt, and developed their own, including Necro, LOLFME, and EnemyBot, the latter of which has become an <a href=\"https:\/\/github.com\/freakanonymous\/enemy\">open-source project on Github<\/a>. KekSec is recognized for continually enhancing their botnets with new functionality.<\/p>\n<p>While we cannot definitively say whether these samples were developed by KekSec members or adapted from their source code, their open-source code does not contain the \u201clol f me\u201d string found in these samples. This string is absent from GitHub repositories. LOLFME was originally developed between May and August 2019 making it a short-lived botnet.<\/p>\n<p>The first sample we analyzed, identified as ff33ce4ea04cf26ad62ca72e6b3072485ed6a5e16ee981cb471bd649b12f9494, begins execution by obfuscating the process name of its executable to a random sequence derived from the victim machine\u2019s time. Then it clears environment variables and disables any response to its terminal session or the death of child processes, thereby strengthening its execution.<\/p>\n<p>The malware attempts to evade dynamic analysis by creating diversionary child processes and prevents the system kernel from resetting by either petting the watchdog timer (using ioctl 0x80045705) or completely disabling it (using ioctl 0x80045704). This technique has also been exploited by Mirai and Gafgyt botnets in the past. Ultimately, the malware maintains the highest possible privileges (root) and detaches from the terminal to run in the background without interruption.<\/p>\n<p>The botnet process connects to a hardcoded C2 IP address obfuscated with a simple XOR algorithm. Upon establishing the connection, the malware sends a status announcement in the form of \u201cid:process_name\u201d (with process_name being the previously generated random process name variable) along with the sequence of bytes 0x30, 0x78, 0x31, 0x5c, 0x30, 0x78, 0x31, 0x5c, 0x30, 0x78, 0x35, 0x5c, 0x30, 0x78, 0x37, 0x5c, 0x30, 0x78, 0x39, 0x5c, 0x30, 0x78, 0x30 on TCP port 4077.<\/p>\n<p><strong>The novel behavior we observed<\/strong><strong> (matching our YARA rule) is that if the connection to the C2 fails, the malware terminates all attack modules and wipes the directories \u201c\/\u201d and \u201c\/proc\/net\/tcp\u201d.<\/strong><\/p>\n<p>Once the C2 connection is established, the malware executes three modules:<\/p>\n<ul>\n<li><strong>Killer00<\/strong>: Terminates any process that doesn\u2019t have a path like [&#8220;\/usr\/&#8221;, &#8220;\/systemd\/&#8221;, &#8220;bin\/&#8221;, &#8220;mi&#8221;, &#8220;aa&#8221;, &#8220;aaa&#8221;, &#8220;aaaa&#8221;, &#8220;daaaa&#8221;, &#8220;mmi&#8221;, &#8220;html&#8221;, &#8220;clouds&#8221;, &#8220;cloudrop&#8221;]<\/li>\n<li><strong>telnet_init<\/strong>: Scans the local network using Telnet for devices with weak credentials, such as [(&#8216;support&#8217;, &#8216;support&#8217;), (&#8216;user&#8217;, &#8216;user&#8217;), (&#8216;admin&#8217;, &#8216;ho4uku6at&#8217;), (&#8216;support&#8217;, &#8216;1234&#8217;), (&#8216;admin&#8217;, &#8221;), (&#8216;root&#8217;, &#8221;), (&#8216;admin&#8217;, &#8216;1234&#8217;), (&#8216;password&#8217;, &#8216;password&#8217;), (&#8216;admin&#8217;, &#8216;admin&#8217;), (&#8216;admin&#8217;, &#8216;changeme&#8217;), (&#8216;root&#8217;, &#8216;changeme&#8217;), (&#8216;root&#8217;, &#8216;root&#8217;), (&#8216;root&#8217;, &#8216;20080826&#8217;), (&#8216;root&#8217;, &#8216;admin&#8217;), (&#8216;root&#8217;, &#8216;12345&#8217;), (&#8216;root&#8217;, &#8216;vizxv&#8217;), (&#8216;root&#8217;, &#8216;xc3511&#8217;), (&#8216;root&#8217;, &#8216;123456&#8217;), (&#8216;root&#8217;, &#8216;default&#8217;), (&#8216;root&#8217;, &#8216;5up&#8217;), (&#8216;root&#8217;, &#8216;zlxx.&#8217;), (&#8216;default&#8217;, &#8221;), (&#8216;default&#8217;, &#8216;default&#8217;), (&#8216;guest&#8217;, &#8221;), (&#8216;guest&#8217;, &#8216;guest&#8217;), (&#8216;12345&#8217;, &#8216;guest&#8217;), (&#8216;123456&#8217;, &#8216;default&#8217;), (&#8216;admin&#8217;, &#8216;pass&#8217;), (&#8216;root&#8217;, &#8216;pass&#8217;), (&#8216;telnet&#8217;, &#8216;telnet&#8217;)]<\/li>\n<li><strong>connection_handler<\/strong>: Parses commands from the C2 and executes them. Several commands are similar to the DDoS attacks seen in Kaden botnet, some are specific DDoS attacks targeting gaming servers, and one particularly interesting command is \u201cbricklol\u201d. This command wipes the authentication log at \/var\/log\/auth.log and the shell histories at bash_history and zsh_history by linking them to \/dev\/null It then composes multiple commands to wipe mtd (flash memory) and sda (hard drives) devices, disable networking routes, flush iptables rules, add an iptables rule to DROP all INPUT and FORWARD requests, and finally reboot the device.<\/li>\n<\/ul>\n<p>The second sample (26a494382bbfa16e8674beee16c89e5704b8abd1e1283b0fa28ec2d9d7bfebd9) introduced a few new commands that monitor the local network and report back to the C2. It also fixed the broken implementations of a some previous DDoS commands and added a check to detect if the parent process of the malware is strace, gdb, lldb or ltrace in order to evade dynamic analysis.<\/p>\n<p>The subsequent samples incorporated similar improvements, further indicating that this botnet is under active development.<\/p>\n<h3>Conclusion<\/h3>\n<p>We do not have evidence that these two new wiper botnets are being deployed in the wild yet. The fact that most samples have single submissions on VirusTotal and other evidence we discussed above suggests ongoing development and testing against detection engines.<\/p>\n<p>These botnets, particularly their wiper behavior, could be deployed against targets after this testing phase is complete. Alternatively they could simply be the work of teenagers experimenting with botnets without intending to deploy them. However, the combination of botnets, wipers and inexperienced developers is dangerous. This was demonstrated by Silex 2019 when it wiped thousands of IoT devices and left the following message.<\/p>\n<div style=\"display: block; margin: 10px; border-top: 1px solid #CCCCCC; border-bottom: 1px solid #CCCCCC; padding: 10px;\">\n<h4>Riskiest Connected Devices in 2024 \u2013 IT, IoT, OT, IoMT<\/h4>\n<p class=\"u-display-flex u-flex-wrap u-gap\"><a href=\"\/webinars\/2024-riskiest-devices\/\"  title=\"Register For The Webinar\" class=\"c-btn c-btn--primary has-icon icon-camera icon-position-right has-icon-animation icon-animation-pulse\"><span class=\"cta-button-text\">Register For The Webinar<\/span><\/a> <a href=\"\/resources\/2024-riskiest-connected-devices\/\"  title=\"Access The Full Report\" class=\"c-btn c-btn--primary c-btn--outline u-flex-auto u-flex-initial@sm u-justify-center u-justify-start@sm has-icon icon-arrow-right icon-position-right has-icon-animation icon-animation-fade-in\" target=\"new\"><span class=\"cta-button-text\">Access The Full Report<\/span><\/a>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>What Is Wiper Malware? Wipers are malware that delete data on a device or make it inaccessible. They can be used for sabotage, to destroy evidence of an attack or simply to make a device unusable. IoT wipers often rewrite important parts of the firmware of an IoT device, rendering that device useless, so they [&hellip;]<\/p>\n","protected":false},"author":124,"featured_media":88955,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[562,540],"tags":[],"coauthors":[542],"class_list":["post-88926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-views","category-research-and-cyber-alerts"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout<\/title>\n<meta name=\"description\" content=\"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout\" \/>\n<meta property=\"og:description\" content=\"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-18T16:20:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-16T13:35:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"419\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\"},\"author\":{\"name\":\"Forescout Research - Vedere Labs\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\"},\"headline\":\"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants\",\"datePublished\":\"2024-07-18T16:20:37+00:00\",\"dateModified\":\"2024-08-16T13:35:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\"},\"wordCount\":3062,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg\",\"articleSection\":[\"News &amp; Views\",\"Research &amp; Cyber Alerts\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\",\"name\":\"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg\",\"datePublished\":\"2024-07-18T16:20:37+00:00\",\"dateModified\":\"2024-08-16T13:35:04+00:00\",\"description\":\"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg\",\"width\":800,\"height\":419},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\",\"name\":\"Forescout Research - Vedere Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"caption\":\"Forescout Research - Vedere Labs\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout","description":"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/","og_locale":"en_US","og_type":"article","og_title":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout","og_description":"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.","og_url":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2024-07-18T16:20:37+00:00","article_modified_time":"2024-08-16T13:35:04+00:00","og_image":[{"width":800,"height":419,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","type":"image\/jpeg"}],"author":"Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/"},"author":{"name":"Forescout Research - Vedere Labs","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984"},"headline":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants","datePublished":"2024-07-18T16:20:37+00:00","dateModified":"2024-08-16T13:35:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/"},"wordCount":3062,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","articleSection":["News &amp; Views","Research &amp; Cyber Alerts"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/","url":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/","name":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants - Forescout","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","datePublished":"2024-07-18T16:20:37+00:00","dateModified":"2024-08-16T13:35:04+00:00","description":"Forescout Research Vedere Labs discovers brand new IoT wiper malware botnets. Learn all about the latest wiper variants and how they work.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","width":800,"height":419},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984","name":"Forescout Research - Vedere Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781","url":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","caption":"Forescout Research - Vedere Labs"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/07\/FS-2024-VL-IoT-Wiper-Blog-Share-v1.jpg","is_file":false,"excerpt_manually_set":false,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/88926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=88926"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/88926\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/88955"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=88926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=88926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=88926"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=88926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}