![]() The bot then issues the command "chmod 777 a.sh" to change the permission settings of the downloaded payload, allowing it to be executed.įinally, when “a.sh” is executed, it is removed using the command "rm -rf a.sh*" to remove its traces. It then uses wget to download the payload, and curl if wget is not present in the infected system. The bot then determines the kind of system it has entered and whether the system is a honeypot or not, as indicated by the command “uname –a”. tmp files typically have default permission to execute. The attack starts by using the ADB command shell to change the attacked system’s working directory to “/data/local/tmp". Figure 1 summarizes the attack's infection chain. We found that the IP address 456714179 connects to the ADB running device or system then conducts several activities. ![]() We detected activity from this malware in 21 different countries, with the highest percentage found in South Korea. The use of ADB makes Android-based devices susceptible to the malware. ![]() ![]() This bot’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host. This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant we previously reported. We observed a new cryptocurrency-mining botnet malware that arrives via open ADB (Android Debug Bridge) ports and can spread via SSH.
0 Comments
Leave a Reply. |