### #IoTSecurity #MalwareDisruption #BotnetMitigation
Summary: Germany’s BSI has successfully disrupted the BadBox malware, which was pre-installed on over 30,000 Android-based IoT devices, by employing DNS sinkholing techniques. This operation is part of a broader effort to combat a botnet linked to malicious apps and firmware that has affected over 280,000 devices globally.
Threat Actor: Unknown | BadBox
Key Point :
- BadBox malware was found pre-installed on IoT devices sold in Germany.
- The malware creates a botnet of over 280,000 devices, primarily linked to China.
- BSI utilized DNS sinkholing to disrupt the malware’s communication with its command-and-control servers.
- This operation prevents the malware from executing commands or sending stolen data.
Germany’s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation, which was found pre-installed on over 30,000 Android-based IoT devices sold in Germany.
Typically, BadBox comes embedded in a device’s firmware. Once the infected device connects to the internet, the malware contacts a remote command-and-control (C2) server operated by threat actors.
First spotted in October 2023, the BadBox malware spread through malicious Android and iOS apps and Android TV streaming box firmware, creating a botnet of over 280,000 devices globally. The botnet’s operations have been linked to China.
To disrupt the operation, BSI performed DNS sinkholing, a technique that reroutes the malware’s communication to servers controlled by authorities instead of the attackers’ C2 servers. The sinkholing action blocks the malware from receiving commands or transmitting stolen data.
Original Source: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241212_Badbox_Sinkholing.html
Cyber Law and Cybercrime Investigation Blog: Immuniweb