Malware, Threat Intelligence

BADBOX malware operation sinkholed by Germany

Privacy concept: pixelated words Malware on digital background, 3d render
(Adobe Stock)

Suspected China-based malware operation BADBOX has been confirmed to be dismantled by Germany's Federal Office of Information Security after sinkholing the domains it has been leveraging to establish communications between at least 30,000 outdated internet-exposed Android devices and its command-and-control servers, The Hacker News reports.

Android devices compromised by BADBOX, which include phones, tablets, media players, and digital picture frames, could be leveraged not only for residential proxy service purposes that enable stealthy internet traffic routing but also to establish Gmail and WhatsApp accounts, according to BSI, which urged major internet providers across the country to redirect internet traffic to the sinkhole while ordering the immediate takedown of the affected devices. Such a development comes after HUMAN's Satori Threat Intelligence and Research team discovered BADBOX to have leveraged both the Triada malware and PEACHPIT ad fraud botnet in its attacks. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware," said researchers.

Related

Novel Glutton backdoor deployed by Winnti hackers

Aside from targeting the widely used PHP frameworks ThinkPHP, Laravel, Dedecms, and Yii in code injection attacks, Glutton has also been leveraged to exfiltrate data from the Chinese server management tool Baota, an analysis from QAX's XLab research team revealed.

Upstart Pumakit Linux rootkit malware examined

Attacks with Pumakit commence with the deployment of the cron dropper, which executes the '/memfd:tgt' and '/memfd:wpn' payloads, with the former eventually launching the 'puma.ko' LKM rootkit module that loads only after ensuring secure boot status and performing kernel symbol scanning.

New BoneSpy, PlainGnome Android spyware deployed by Gamaredon

Malicious battery charge tracking and photo gallery apps, as well as a phony Samsung Knox app and trojanized Telegram app, have been leveraged to distribute the similar BoneSpy and PlainGnome spyware, which facilitate compromise of device location, call logs, contact lists, SMS messages, and other sensitive information.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingCorruptionCovert ChannelsDNS SpoofingData MiningDictionary AttackDomain HijackingDumpSecGoogle HackingReconnaissance

You can skip this ad in 5 seconds