Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH (Jun 20, 2019)
Trend Micro researchers have identified a new cryptominer botnet malware that uses open Android Debug Bridge (Android Debug Bridge) ports and spreads through SSH. As ADB doesn’t have authentication by default, the malware is able to infect the system and spread to any other system that has had an SSH connection with the host. Using the ADB command line, the payload is downloaded, with the commands deleted, along with downloaded files to remove any trace of the attack. The malware searches for known hosts to further infect more systems with the malware due to the mechanism that saves systems that have communicated through SSH as known hosts.
Recommendation: To help protect against this attack users are recommended to check/change default settings, update device firmware, apply patches and being aware of the methods attackers use to spread malware.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.