Modern botnets have come a long way from their humble beginnings at the turn of the 20th century, when they were primarily built and deployed as part of spam e-mail campaigns. Since then, they’ve been used by cybercriminals and nation-states alike to gain access to a large number of network-connected devices to launch devastating attacks, steal data, and more recently, secretly mine cryptocurrency. Though most botnets are clearly malicious, researchers have discovered one in particular that (intentionally or not) deviates from the trend.
Researchers with cybersecurity firm Qihoo’s 360Netlab released a report on Monday, September 17, 2018 that describes the “odd behavior” of Fbot, a botnet that utilizes the nefarious Satori coding to clean up systems infected with cryptocurrency mining malware.
As reported by ZDNet, the Satori botnet code is a variant of Mirai, and since it’s public release this past January, has appeared in several deployments that specifically target machines and networks to mine cryptocurrency. It appears that Fbot’s only job is to leverage that code to track down connected systems infected by the com.ufo.miner botnet, which is a variant of ADB.Miner.
ADB.Miner and its variants are focused on infecting a wide range of devices running Android including smartphones, tablets, streaming devices, smartwatches, laptop and desktop hardware, refrigerators…the list goes on. The botnet will command these devices to covertly mine the cryptocurrency Monero (XMR) using the Coinhive mining script.
Fbot utilizes the same infection vector as the cryptojacking malware (an open Port TCP 5555), though once on the infected system, it sniffs out any ADB malware processes, kills them, completely removes the cryptominer from the system, and then deletes itself.
Currently, there’s no consensus on why Fbot is cleaning up infected systems. It could be that a white-hat vigilante is quietly working to thwart malicious actors, or, Fbot could be cleaning house to deploy its own cryptojacking malware. Regardless of its creator’s intent, it’s worth watching in the future. Also, monitoring for any network activity over an open port 5555 wouldn’t hurt either.