New Mirai variant Fbot found wiping out cryptomining malware from Android devices

• The new botnet is targeting a new variant of ADB.Miner malware.
• Fbot spreads by scanning for devices with TCP 555.

A new variant of the Mirai botnet has been discovered by security experts. Dubbed Fbot, the new botnet is considered to be unusual as it hunts for wipes out crytominers. The botnet preserves the original DDoS module and searches for devices infected with cryptomining malware and then removes them from the infected devices.

Security researchers at 360Netlab, who discovered the new botnet, found that the new strain hunts down a malware called ‘com.ufo.miner’- a variant of ADB.Miner malware which is used to mine for Monero on Android devices.

Propagation method

Fbot spreads by scanning for devices with an open port 555. The port is used by the ADB (Android Debug Bridge) service on Android. Once installed, the botnet executes one of the two scripts - hxxp://188.209.52.142/c or hxxp://188.209.52.142/w. The scripts are designed to uninstal thel ‘com.ufo.miner’ malware.

In addition, Fbot also looks for processes such as SMI, RIG and XIG, all of which are associated with cryptomining activity, and proceeds to discard them.

Another feature that caught the attention of the researchers is that Fbot’s developers chose a decentralized DNS server, which shares domains through a blockchain network. This makes it difficult to eliminate or locate the botnet.

The DNS used by this botnet is EmerDNS which is based on the blockchain Emercoin. Emercoin is a platform that supports the registration of domain names from the EMC, COIN, LIB and BAZAR namespaces.

“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names), also it makes it harder to sinkhole the C2 domain, at least not applicable for a ICANN members,” 360Netlab researchers noted.

While Fbot’s technical details have piqued security experts’ interest, it is still unclear whether the botnet will be used for good or bad in future.