Last month, operators of the infamous information-stealing malware KPOT held an online auction on a dark web forum. Interestingly, the KPOT malware auction saw only one buyer ready to shell out the base price of $6500 to acquire the source code. On further investigation, it was found that the winning bidder was none other than UNKN, a known member from the REvil (also known as Sodinokibi) ransomware gang.
KPOT Malware Auction
The idea behind the KPOT malware auction was that the operators wanted to move to another project. Thus, for monetary gains, the base price of the auction was set to $6500. However, this base price seemed to be too high for the members of the dark web forum where it was being advertised.
— панкак3 (@pancak3lullz) October 15, 2020
KPOT malware was launched in mid-2018 and advertised as Malware-as-a-Service (MaaS). Its latest version, KPOT 2.0, displayed malicious functionalities like the collection of:
- Browsing history
- Browser auto fill form details
- RDP files
- System information including IP address, username, and installed software
This malware is a perfect fit for a threat actor who is attempting to break into a network or system to infect it further with other vectors like ransomware. This is what the REvil ransomware gang must have thought because with such a steep price and no buyers, the REvil ransomware gang member, UNKN, bought the source code of KPOT 2.0 at the base price that it was placed for. Another reason behind no apprehensions in paying the steep price could well be the fact that the REvil gang claims to have an annual turnover of more than $100 million from ransom demands. A Russian YouTube channel that claims to have interviewed a member from the famous Russian speaking REvil ransomware gang has revealed this explosive news.
REvil ransomware, coupled with KPOT’s capabilities, can cause targeted strikes against major corporations. It is one to be put on the lookout list of your organization’s threat indicators.