Linux.BTCMine.26

A malware author has created a new cryptocurrency miner that infects Linux devices that use open or default Telnet credentials.

This new trojan — detected by Dr.Web under the name Linux.BTCMine.26 (BTCMine in the rest of this article) — mines for the Monero cryptocurrency and targets only the x86-64 and ARM hardware architectures.

Miner infects Linux devices via unsecured Telnet ports

Researchers say the trojan uses a Telnet scanner similar to the one deployed by the Mirai IoT malware. BTCMine will scan random IPv4 addresses and attempt to connect via the Telnet port.

If the port is open or the user employs one of many known default credentials, the malware connects and runs commands to download and run the actual BTCMine binary.

The trojan stood out in the eyes of Dr.Web researchers because of the many references to krebsonsecurity.com, the personal blog of infosec investigative journalist Brian Krebs.

This is not the first malware to reference Krebs or his blog, both very popular both among security researchers and malware authors alike. In recent years, it's become quite commonplace for malware developers to insult or give Krebs a shout out in their code.

Krebs referrence in Linux.BTCMine.26

Rising number of cryptocurrency miners

BTCMine is part of a larger trend. In recent months, researchers from various security firms have discovered quite a few new cryptocurrency miners.

CoinMiner - miner targeting Windows via NSA's EternalBlue
DevilRobber - miner targeting Macs that recently resurfaced
Trojan.BtcMine.1259 - miner targeting Windows via NSA's DoublePulsar
EternalMiner - miner targeting Windows via SambaCry flaw
Adylkuzz - miner targeting Windows via NSA's EternalBlue
Bondnet - miner targeting Windows Servers via RDP
NsCpuCNMiner - miner targeting Seagate NSA devices
Various miners targeting the new Zcash cryptocurrency

The trend can be justified by the rise in popularity — and usage — of new cryptocurrencies like Ethereum, Monero, or Zcash.

To mine Bitcoin efficiently, users need specially optimized hardware rigs. Users don't need these special rigs for mining Ethereum, Monero, or Zcash, and they can still make a profit just by using their regular computers. Or, in the case of BTCMine, hijacked Linux servers.

If any of our readers use Telnet to connect to their Linux device, make sure to secure the Telnet account with a strong password. If the Telnet account already has a password, make sure it's not the default password that ship's with the device's manual. In addition, make sure you're not using one of these generic and easy-to-guess passwords.