Trend Micro researchers discovered a loophole in the IoT gadgets security. The latest exploit takes advantage of the open ports which affect many IoT gadgets by utilizing the TCP Port 5555 to spread the Mirai botnet Satori variant.
Recently the researchers notice two activity spikes on July 9th, 10th, and 15th and discovered the exploit. Using the open Android Debug Bridge or ADB utility ports, malicious packages were downloaded. Later the activity showed that the malware was scanned but it utilized the utility ports to bring the downfall.
The attack involves basically 3 stages where initially a shell script is dropped using the ADB connection via an open port 5555. Later it runs 2 more shell scripts, preparing to launch for the 3rd and final step which is binary. The researchers feel around 48,000 gadgets are vulnerable to these ADB exploitations. This includes mobile phones and smart TVs located behind routers which are misconfigured.
During the final stage after deleting its own file from the filesystem, the binary runs numerous checks. On clearing all the check it uses a certain hostname in order to resolve the C&C server’s address via the Google DNS server. Whereas in case the checks fail it utilizes a certain hardwired IP address to complete the process.
Two more processes are run, initially, it checks for open temp files xig, sim or trinity and kills them if found. Later it initializes the malware worm. The researchers at Trend Micro believe smi is a file that belongs to the Coinhive version that was used on Amazon devices which had been hacked earlier.
Finally, the malware contacts the command and control server receives yet another set of instructions containing malware targets as well as the IP packet types, which it will send along with an IPv4 addresses list.
Trend Micro in a statement said – “The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack.”
Anything you wish to share feel free to comment below.