Trend Micro researchers uncovered a new exploit that essentially takes advantage of the continuous open-port issue plaguing lots of IoT gadgets by utilizing TCP port 5555 as a way of spreading the Mirai botnet Satori variant.
After noting two activity spikes on July 9th, 10th and 15th, the researchers discovered the exploit. Malicious packages were downloaded utilizing open Android Debug Bridge or ADB utility ports after the activity showed that the malware essentially scanned for, then utilized the utility ports to achieve their mission.
There are essentially 3 stages of the attack. First, a shell script is dropped using the ADB connection via an open port 5555. This action essentially downloads the 2nd stage. That stage includes 2 more shell scripts that launch the 3rd stage, which is a binary. The researchers feel that around 48,000 gadgets are vulnerable to these ADB exploitations. These include mobile phones and smartTVs located behind routers that have been misconfigured.
After deleting its own file from a filesystem, the binary then run numerous checks. If passed, it uses a certain hostname in order to resolve the C&C server’s address via the Google DNS server. If the checks fail, it then utilizes a certain hardwired IP address to complete the process.
Two more processes are run. The first one checks for open temp files xig, smi or trinity and kills them if they’re discovered. The other process initializes the malware worm. According to Trend Micro, Smi is a file belonging to the Coinhive version that’s used on Amazon devices that were hijacked.
Then, the malware contacts the command and control server and receives yet another payload that contains the malware’s targets as well as the IP packet types it will send along with an IPv4 addresses list.
Trend Micro stated, “The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack.”
Any thoughts on this? Please leave them below.