GoKawiilA newly identified malicious implant named RoadK1ll is enabling threat actors to quietly move from a compromised host to other systems on the network.
The malware is a Node.js implant that communicates over a custom WebSocket protocol to sustain ongoing attacker access and enable further operations.
RoadK1ll was discovered by managed detection and response (MDR) provider Blackpoint during an incident response engagement.
The researchers describe it as a lightweight reverse tunneling implant that blends into normal network activity and turns an infected machine into a relay point for the attacker.
"Its sole function is to convert a single compromised machine into a controllable relay point, an access amplifier, through which an operator can pivot to internal systems, services, and network segments that would otherwise be unreachable from outside the perimeter," Blackpoint says.
RoadK1ll does not rely on an inbound listener on the compromised host. It establishes an outbound WebSocket connection to attacker-controlled infrastructure, which is then used as a tunnel to relay TCP traffic on demand.
This approach allows the attacker to remain undetected for a longer period and forward traffic to internal systems through a single WebSocket tunnel.
“The attacker can instruct RoadK1ll to open connections to internal services, management interfaces, or other hosts that are not directly exposed externally,” Blackpoint says.
“Because these connections originate from the compromised machine, they inherit its network trust and positioning, effectively bypassing perimeter controls.”
Furthermore, RoadK1ll supports multiple concurrent connections over the same tunnel, allowing its operator to communicate with several destinations at once.
... continue reading