Researchers discovered a cryptocurrency mining botnet that uses the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to hosts stored in the known_hosts list to spread to other devices.
While the ADB is disabled on most Android devices by default, some ship with it enabled allowing unauthenticated attackers to connect remotely via the 5555 TCP port, providing direct access via the ADB command shell which is commonly used by developers to install and debug apps.
The botnet is active in “21 different countries, with the highest percentage found in South Korea” according to Trend Micro’s cyber threat researcher Jindrich Karasek, with Shodan having returned 13,577 Internet-connected potential targets with the ADB debugging interface enabled.
Targets with ADB enabled
At the beginning of the infection process, the malware will connect to devices where the ADB interface is reachable and it will immediately “change the attacked system’s working directory to /data/local/tmp” to take advantage of all files being saved in that folder receiving permission to execute by default.
Dropping the cryptominer payload
Next, the malicious implant will check if it has landed on a honeypot and the type of system it managed to infiltrate to be able to download a malware dropper script payload using wget or curl from an attacker-controlled server in the form of a Bash script named a.sh.
After being launched on the infected device, the dropper will be immediately be removed to erase any infection traces and evade detection.
A miner payload will be downloaded after checking the system’s architecture with the dropper having the option to “choose from three different downloadable miners.”
Miner dropper script
Miner dropper script
As is customary these days, competing malicious cryptocurrency miners are also targeted by the bot with their processes being terminated and their Internet access blocked by altering the /etc/hosts file, redirecting all connections to the 0.0.0.0 non-routable address.
“To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as ‘/sbin/sysctl -w vm.nr_hugepages=128’,” also notes Karasek.
Spreading to other devices using SSH
While this botnet exhibits similar behavior to others who targeted devices with ADB enabled [1, 2, 3], this malware strain adds a new spreading mechanism via SSH which enables it to infect systems listed in the known_hosts file of compromised devices.
“Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe,” says Trend Micro.
Infection chain
Infection chain
The botnet will use the victim’s id_rsa.pub SSH public key and the known hosts if can find to connect to any other “smart devices or systems that have previously connected to the infected system.”
Once connected via SSH to another target, the malware uses the spreader script to download, install, and launch a miner payload specifically designed to be dropped via this attack vector.
“Although ADB is a useful feature for administrators and developers, it is important to remember that an enabled ADB might expose the device and those connected to it to threats,” concludes Karasek.
A list of indicators of compromise (IOCs) including SHA256 hashes for the various scripts and components used by the botnet, as well as IP addresses of the servers used to distribute the malicious payloads are available at the end of Karasek’s analysis, together with more details on the botnet’s inner workings.
To read the original article: