The source code for the KPot information stealer was put up for auction and the REvil ransomware operators want to acquire it.
— pancak3 (@pancak3lullz) October 15, 2020
KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.
The malware, which was first spotted in 2018, is also able to take a screenshot of the active desktop and also target wallets stored on the computer.
The KPOT Stealer was written in C/C++, it was offered in the cybercrime underground as a Malware-as-a-Service (MaaS).
The malware communicates with the C2 infrastrcuture via HTTP requests and supports multiple commands to steal any kind of information from the infected systems.
The KPot source code was initially offered for $10,000 upfront, and according to the threat intelligence provider Cyjax the only participant in the action was UNKN, who is a well-known member of the REvil (Sodinokibi) ransomware crew.
“The source code for the KPot stealer has been auctioned off, with a representative of the REvil ransomware group being the sole public bidder.” reads a post published by the company on LinkedIn. “The REvil representative was the only public bidder for this product, and the auction was closed soon after their bid was made. While the closed nature of these sales makes it impossible to definitively state REvil are now the owner of the KPot stealer, this seems highly likely. They were the only public bidder for this product and could almost certainly outbid other interested parties. If REvil has purchased the source code for KPot stealer, then this will likely be incorporated into future ransomware attacks.”
UNKN paid the initial asking price of $6,500, while other forum members declined to participate, citing the steep asking price.
The auction was related to the source code of KPOT 2.0, which is the latest version of the info stealer.
The REvil ransomware operators will likely integrate the source code for the KPot stealer in their ransomware.