A new exploit is taking advantage of the on-going open port problem that plague many IoT devices by using TCP port 5555 to spread the Satori variant of the Mirai botnet.
Trend Micro researchers came across the exploit after two spikes in activity were noted, on July 9-10 and July 15, that scanned for and then used open Android Debug Bridge (ADB) utility ports to download malicious packages.
The attack takes place in three stages. The first drops a shell script via the ADB connection through an open port 5555, which in turn downloads the second stage which consists of two additional shell scripts which are responsible for launching stage three, a binary. Trend Micro believes about 48,000 devices are vulnerable to ADB exploitations, including smartTVs and mobile phones that are behind misconfigured routers.
The binary deletes its own file from a filesystem and then runs several checks, which if passed, it “will use a hostname “n[.]ukrainianhorseriding[.]com” to resolve the address of the C&C server through the Google DNS server. Otherwise, it uses the hardwired IP address 95[.]215[.]62[.]169 with a connection port of 7267,” Trend Micro said.
Two additional processes are now run. One checks for open temporary files smi, xig, or trinity and if found kills them. Trend Micro noted trinity could be related to the Android system fuzzer while smi is a file known to belong to the version of Coinhive used on hijacked Amazon devices. The second process initializes the malware's worm feature.
The malware then contacts the command and control server to receive another payload containing targets and the IP packet types that will be sent along with a list of IPv4 addresses.
“The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack,” Trend Micro said.