Linux.MulDrop.14 is a Linux worm that seeks out networked Raspberry Pi systems with default root passwords; after taking them over and ZMap and sshpass, it begins mining an unspecified cryptocurrency, creating riches for the malware’s author and handing you the power-bill.
Experts say the initial infection takes place when Raspberry Pi operators leave their devices’ SSH ports open to external connections.Once a Raspberry Pi device is infected, the malware changes the password for the “pi” account to:
\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1
After this, Linux.MulDrop.14 shuts down several processes and installs libraries required for its operation, including ZMap and sshpass.
The malware then launches its cryptocurrency mining process and uses ZMap to continuously scan the Internet for other devices with an open SSH port.
Once it finds one, the malware uses sshpass to attempt to log in using the username “pi” and the password “raspberry.” Only this user/password combo is used, meaning the malware only targets Raspberry Pi single-board computers.
Linux Malware Mines for Cryptocurrency Using Raspberry Pi Devices [Catalin Cimpanu/Bleeping Computer]
(Image: Evan-Amos, PD)