The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certificate common to BADBOX infrastructure was identified, revealing five IPs and numerous domains using the same certificate and SSH host key. This indicates a single actor controlling a templated environment. The analysis uncovered shared attributes among the infected hosts, including open SSH ports and nginx 1.20.1 running on CentOS. The scale and stealthy nature of BADBOX highlight the critical need for supply chain integrity monitoring and network traffic analysis. Author: AlienVault
Related Tags:
ssl/tls certificate
ssh host key
censys
T1563.002
T1608.003
T1102.003
T1587.003
T1608.001
T1588.004
Associated Indicators:
swiftcode.work
pasiont.com
mtcpuouo.com
bluefish.work
joyfulxx.com
pixelscast.com
ztword.com
giddy.cc
172.104.178.158