Raspberry Pi

A Linux trojan detected under the generic name of Linux.MulDrop.14 is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.

According to Russian antivirus maker Dr.Web, the malware was first spotted online in the second half of May in the form of a script that contains a compressed and encrypted application.

Experts say the initial infection takes place when Raspberry Pi operators leave their devices' SSH ports open to external connections.

Once a Raspberry Pi device is infected, the malware changes the password for the "pi" account to:

\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1

Malware targets only Raspberry Pi devices

After this, Linux.MulDrop.14 shuts down several processes and installs libraries required for its operation, including ZMap and sshpass.

The malware then launches its cryptocurrency mining process and uses ZMap to continuously scan the Internet for other devices with an open SSH port.

Once it finds one, the malware uses sshpass to attempt to log in using the username "pi" and the password "raspberry." Only this user/password combo is used, meaning the malware only targets Raspberry Pi single-board computers.

This is somewhat out of the ordinary since most malware tries to target as many platforms as it can. Nonetheless, this version of the malware may be still under development, and other username & password combos may be added at a later date.

Still better than Mirai

Most users would dismiss the idea of using Raspberry Pi devices to mine for cryptocurrency, which is a very computational-heavy operation.

While Raspberry Pi single-board computers do have some hardware resources at their disposal for the task the malware is attempting to perform, they are not as powerful as classic desktop or laptop computers, and nowhere near the efficiency of dedicated mining equipment.

Nevertheless, people have used Raspberry Pi devices to mine for cryptocurrency in the past, with moderate success.

Either way, Linux.MulDrop.14 is certainly more equipped for the task at hand compared to a version of the Mirai IoT malware spotted in mid-April, which also tried to mine for cryptocurrency for a short period of time.

At the time, Errata Security researcher Robert Graham estimated that if a Mirai botnet of 2.5 million bots mined for cryptocurrency, it would be earning only $0.25 per day because of the low computational power of the devices Mirai is capable of infecting (usually security cameras, DVRs, routers, and other IoT equipment).

Linux malware used to create a proxy network

Last but not least, Dr.Web researchers also said they discovered a second Linux malware strain, which they named Linux.ProxyM.

As this malware's name implies, this Linux trojan is used to start a SOCKS proxy server on infected devices, which the trojan's author then uses to relay malicious traffic, disguising his real identity and location.

No other details are available at this time about Linux.ProxyM, but researchers said the number of devices infected with this strain has grown to 10,000 systems after being first spotted in February 2017.

Linux.ProxyM recent evolution

 

Red Report 2025

Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Related Articles:

Cracked Garry’s Mod, BeamNG.drive games infect gamers with miners

North Korean Lazarus hackers infect hundreds via npm packages

MassJacker malware uses 778,000 wallets to steal cryptocurrency

US seizes $23 million in crypto linked to LastPass breaches

US charges Garantex admins with money laundering, sanctions violations