Unpacking the BADBOX Botnet
Essential information
- Published
- 05/02/2025 00:14
- Modified
- 05/02/2025 11:17
- Tags
- 2025-02-05 android badbox botnet censys firmware iot ssh host key ssl/tls certificate supply-chain
- Related entities
- 19 observables, 1 intrusion sets (apt), 8 techniques (mitre), 1 malware, 1 others
Description
The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certificate common to BADBOX infrastructure was identified, revealing five IPs and numerous domains using the same certificate and SSH host key. This indicates a single actor controlling a templated environment. The analysis uncovered shared attributes among the infected hosts, including open SSH ports and nginx 1.20.1 running on CentOS. The scale and stealthy nature of BADBOX highlight the critical need for supply chain integrity monitoring and network traffic analysis.