Unknown botnet Fbot destroys hidden Monero losers on Android OS

Experts on cybersecurity have discovered a new botnet, which instead of doing malicious activity is engaged in the search and destruction of malicious software for mining crypto currency .

Botnet Fbot is a variation of the botnet Satori, which in turn is based on the Mirai program, commonly used to implement DDoS attacks. However, in this case, the element for implementing DDoS attacks has been disabled and replaced with the function of searching for devices infected with a certain cryptographic or hidden miner.

Botnet was discovered by the Qihoo 360Netlab team. According to their information, Fbot is looking for com.ufo.miner – a variation of the Monero-miner for Android devices called ADB.Miner.

Botnet searches for infected devices through open ports and uses the script to remove com.ufo.miner if it finds it. Fbot is programmed to scan the network and spread over it, install itself on top of malware, and then self-destruct, researchers say.

Another unusual feature of Fbot is the fact that it uses a non-standard domain name system (DNS) and a decentralized alternative on the blockbuster called EmerDNS, which makes its addresses harder to track and close.

"Choosing Fbot in favor of EmerDNS over traditional DNS is quite curious. Because of this, it was more difficult for experts to find and track it (security systems do not find anything if they search only for traditional DNS names), " they write.

Whether Fbot is engaged in this activity for good reasons or he simply eliminates competitors is not known.

The growing popularity of hidden miners began last year, according to reports from various companies in the cybersecurity field. Victims become both ordinary users, and enterprises and even state structures. Recently it became known that hidden miners were found on several government websites in India.