Botnet Creates Android Crypto Mining Army With SSH and ADB

Researchers have now identified a new crypto-currency mining botnet in the internet. Unlike other botnets, this network uses the most famous Android Debug Bridge (ADB) Wi-Fi interface and most used Secure Shell connections. This botnet work uses these to hosts stored in the known_hosts list to spread through the internet.

In most of the Android devices, the Android Debug Bridge is disabled by default. But still a few are shipped with it enabled and this allows the unauthenticated attackers to gain remote unauthenticated access over the devices with the TCP port number 5555. This connection provides direct access via ADB command shell. While the ADB command shell is which the developers use to install and debug apps.

This botnet work is suspected to be active across 21 different countries. But the highest percentage of its activity is discovered to be around South Korea. When Jindrich Karasek, Cyber Threat Researcher, Trend Micro’s scanned with Shodan, he reported to have got around 13,577 Internet-connected potential targets are enabled with Android Debugging Interface open.

Once the vulnerabilities are exploited the malicious implant will scan if it is firmly seated over a honeypot and if the type of system it managed to exploit be able to download a dropper script payload. Once if the scan goes successful, the dropper script downloads the payload using wget or curl commands from an attacker-controlled server as a bash script file with a name a.sh.

As soon as the script is launched, the dropper self-destructs itself and will erase any infection traces to evade detection. A miner is set as a payload and the best miner (out of the three different downloadable miners) that suits the exploited system’s architecture is downloaded and configured.

Nowadays since even the competing malicious crypto-miners are targeted, the bots block the Internet access to the miner’s processes. This is achieved by altering the /etc/hosts file and by redirecting all the other connections to 0.0.0.0 – a non-routable address. Karasek added that “The script is capable of optimizing the mining activity. The script enhances the victim’s memory by enabling HugePages. These HugePages will help support memory pages as they are greater than the default pages. This part of the script's ability can be seen in the script as ‘/sbin/sysctl –w vm.nr_hugepages=128’”.

Though the botnet exhibits similar behavior to other botnets which targeted the ADB interface, this malware strain holds a new spreading mechanism via SSH. This especially enables this malware to infect systems listed in the known_hosts file. The known_hosts file holds the list of compromised devices. Here the known device means to the pair of systems that can communicate with each other without any further auth keys. This step is observed after the initial key exchange. Each system considers others as safe.

Once a corrupted system connects to another system through SSH, the malware uses the spreader script to configure and launch the miner payload. Karasek added that “One should remember that an ADB enabled might expose the device to threats, although ADB is a useful feature”.

A list of IOC’s including SHA256 hash keys for various scripts and components are used by the botnet as well as their corresponding IP addresses of the servers used to spread the payloads are available at Karasek’s analysis.