A story about when savings lead to security compromises.
Specialists of the information security company Dr. Researchers have discovered a new version of the Mirai malware that infects budget Android TV set-top boxes. The variant is a new version of the Pandora backdoor, which first appeared in 2015.
Main goals and methods of distribution
The main goals of the campaign are low-cost Android set-top boxes Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3. These devices are equipped with quad-core processors that can launch powerful DDoS attacks even with a small botnet size.
There are two main ways for malware to reach devices:
1. Via a malicious firmware update signed with public test keys. Updates are either installed by device vendors, or users download them themselves from fraudulent websites that offer "unlimited access to media content" or "improved app compatibility";
2. Through malicious apps distributed on sites with pirated content. These apps promise free or cheap access to copyrighted TV shows and movies.
Technical Details
The malicious code is located in "boot. img", a file containing the kernel and ramdisk components that are loaded during Android boot. This mechanism ensures a high level of malware resistance. After the malicious app is launched for the first time, the background service "GoMediaService" is activated, which automatically starts every time the device is loaded.
After activation, the Trojan configures communication with the C2 server, replaces the HOSTS system file, updates itself, and goes into waiting mode for commands from operators. Dr. Web reports that among other actions, the malware can perform DDoS attacks, configure Reverse Shell, and modify system partitions.
Even careful consumers who keep the original firmware and choose apps run the risk of getting devices with pre-installed malware. Therefore, it is recommended to choose devices for streaming from trusted brands.
The Pandora malware has already been used in attacks. In July of this year, SCARLETEEL attackers attacked Fargate, one of the Amazon Web Services (AWS) services. Among other tools, hackers also used Pandora to conduct DDoS attacks on targets.
In addition, at the end of July, Aqua specialists discovered a Mirai botnet campaign targeting incorrectly configured and poorly protected Apache Tomcat servers. Aqua has detected more than 800 honeypot attacks on its Tomcat servers in 2 years, and 96% of the attacks were related to the Mirai botnet.
Specialists of the information security company Dr. Researchers have discovered a new version of the Mirai malware that infects budget Android TV set-top boxes. The variant is a new version of the Pandora backdoor, which first appeared in 2015.
Main goals and methods of distribution
The main goals of the campaign are low-cost Android set-top boxes Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3. These devices are equipped with quad-core processors that can launch powerful DDoS attacks even with a small botnet size.
There are two main ways for malware to reach devices:
1. Via a malicious firmware update signed with public test keys. Updates are either installed by device vendors, or users download them themselves from fraudulent websites that offer "unlimited access to media content" or "improved app compatibility";
2. Through malicious apps distributed on sites with pirated content. These apps promise free or cheap access to copyrighted TV shows and movies.
Technical Details
The malicious code is located in "boot. img", a file containing the kernel and ramdisk components that are loaded during Android boot. This mechanism ensures a high level of malware resistance. After the malicious app is launched for the first time, the background service "GoMediaService" is activated, which automatically starts every time the device is loaded.
After activation, the Trojan configures communication with the C2 server, replaces the HOSTS system file, updates itself, and goes into waiting mode for commands from operators. Dr. Web reports that among other actions, the malware can perform DDoS attacks, configure Reverse Shell, and modify system partitions.
Even careful consumers who keep the original firmware and choose apps run the risk of getting devices with pre-installed malware. Therefore, it is recommended to choose devices for streaming from trusted brands.
The Pandora malware has already been used in attacks. In July of this year, SCARLETEEL attackers attacked Fargate, one of the Amazon Web Services (AWS) services. Among other tools, hackers also used Pandora to conduct DDoS attacks on targets.
In addition, at the end of July, Aqua specialists discovered a Mirai botnet campaign targeting incorrectly configured and poorly protected Apache Tomcat servers. Aqua has detected more than 800 honeypot attacks on its Tomcat servers in 2 years, and 96% of the attacks were related to the Mirai botnet.
