Saturday, December 7, 2024
HomeMalwareAndroid Device With Open ADB Ports Exploited to Spread Satori Variant of...

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

Published on

SIEM as a Service

A new exploit targeting Android devices with open ADB port 5555 to spread malware through command line troubleshooting utility called Android Debug Bridge (ADB) which allows developers to debug apps on the Android devices.

The port generally shut down on the android device and user needs to need to turn it on manually while connecting their device through USB. Attackers trying to exploit the devices with port 5555 open and turn them into a botnet.

Security researchers from Trend Micro spotted suspicious spikes of a new exploit targeting port 5555 on July 9-10 and July 15. The first wave of traffic from China and the US, the second wave from Korea.

- Advertisement - SIEM as a Service
Satori

Multi-Stage Attack Satori

The malware spreads through scanned ADB ports, the first stage of the script is to establish a connection with the target system and download the two stage 2 shell scripts “adbs” and “adbs2″.

The 2 Stage two shell scripts download the stage 3 binary by using different download methods, the first one uses curl and the second one BusyBox.

With further analysis of downloaded binaries and the C&C server it connected, researchers linked to the Satori variant of the Mirai botnet. The C&C servers located in Spain for 95[.]215[.]62[.]169 and the Netherlands for 185[.]62[.]189[.]149.

Malware version is less sophisticated, it uses the combination of byte swap and Base62 encoding. It appears the attackers testing their tools to launch a serious attack.

” All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength.”

Satori is a variant of the infamous Mirai botnet, it was first discovered on 2017-11-22. Like Mirai botnet, Satori won’t use brute-force, instead, it uses exploits to take control of the devices.

Users are advised to check if they have ADB enabled. Settings > Developer Options and make sure that you have turned off “ADB (USB) debugging” and “Apps from Unknown Sources”.

Also Read

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

Android Based Malicious CryptoMiner Spreading by Worm that has Infected more than 5,000 devices in 24 hours

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...