Internet
of Things (IoT) devices with hardcoded default login credentials are
being targeted by a newly discovered Linux malware, security researchers
warn.
Dubbed NyaDrop,
the new Linux threat was spotted in some attacks almost half a year
ago, but it wasn’t well-built and couldn’t successfully infect devices, a
Malware Must Die post reveals. Recently the malware resurfaced with a series of improvements, in better-choreographed attacks.
The main driver for these attacks, security researcher unixfreaxjp says, is represented by known factory hardcoded default login credentials, a flaw that IoT devices were long said to be impacted by (the Mirai botnet has proven how easily these devices can be ensnared). The malware is targeting the vulnerable routers and similar networking devices based on the MIPS CPU architecture.
Just as other IoT malware
out there, NyaDrop is spreading via brute-force attacks that leverage
easy-to-guess credentials and which have a Russian IP address as source.
The threat actor is believed to focus more on keeping the distribution
of this malware under the radar than on spreading the infection fast.
Thus, the actor attacks only specific IP targets per session and also
stops previous attacks, though they return to previous failed attempts
in a slow rotation.
The
security researcher believes that the attacker is intentionally aiming
at MIPS devices, by checking CPU info, and is avoiding ARM and PPC
devices. Once the vulnerable machine has been successfully breached, the
NyaDrop malware is dropped onto it.
The
threat is a Linux backdoor and dropper that opens an Internet socket
(AF_INET) on the infected host to remotely connect to the attacker’s
server to receive any Linux executable that should be used to further
infect the machine. The received data is saved as a “nya” ELF malware
file and is executed by Linux/NyaDrop with its permission privilege on
the targeted device.
Each
time new attacks are successfully logged into the MIPS machine, the
“nya” file is deleted and then the “nya” malware is updated, which
allows the attacker to easily keep the botnet component up to date. If
attacks aren’t successful, the “nyadrop” (the malware’s executable) and
“nya” binaries aren’t saved, which should prevent detection.
The malware’s executable is a small, clean libc
compiled ELF coded in C, the researcher reveals. Despite being small,
however, the file packs a punch. What’s worse is the fact that detection
is very low, and the security researcher notes that hash-based
signature detection would almost certainly fail, because NyaDrop’s
nature of infection will result in multiple hashes being created.
Related: Weak Credentials Fuel IoT Botnets
No comments:
Post a Comment