24 June 2019

New crypto-currency mining botnet targets Android devices via open ADB

New crypto-currency mining botnet targets Android devices via open ADB

A new cryptocurrency mining botnet has been discovered that uses the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to hosts to infect other devices. The botnet malware has spread to 21 countries with the highest rates of infection observed in South Korea, revealed a report from Trend Micro.

While the ADB is disabled on most Android devices by default, some ship with this function enabled thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and gain direct access via the ADB command shell which is commonly used by developers to install and debug apps.

During the first stage of the attack the IP address 45[.]67[.]14[.]179 connects to a device running ADB and uses the ADB command shell to change the attacked system’s working directory to “/data/local/tmp”. This modification is based on the fact that .tmp files typically have default execution permissions.

The bot then performs a series of scans to determine if it landed on a honeypot and what kind of operating system is running on the targeted device. Next, the malicious implant uses wget to download the payload, and curl if wget is not present in the infected system. The bot then executes the command “chmod 777 a.sh” to change the permission settings of downloaded payload and executes a series of commands to remove its traces.

Once downloaded the payload allows the botnet to chose one of the three miners depending on infected system’s manufacturer, architecture, processor type, and hardware. All three miners are delivered by the same URL.

“To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128,” note the researchers.

Additionally, the bot targets rival cryptocurrency miners if they are found on the victim’s device. It blocks its competitor by modifying /etc/hosts and adding the additional record “0.0.0.0 miningv2.duckdns.org”, which blocks the URL of the competing miner.

One of the interesting aspects of this botnet is the use of a spreading mechanism via SSH which enables it to infect systems listed in the known_hosts file of compromised devices.

“Being a known device means the system can communicate with the other system without any further authentication after the initial key exchange, i.e., each system considers the other as safe. The combination of known hosts and the victim’s public key makes it possible for the malware to connect to smart devices or systems that have previously connected to the infected system,” explains Trend Micro.

Once connected via SSH to another target, the malware uses two spreader scripts to download, install, and launch a miner payload.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019