A new trojan named Linux.MulDrop.14 has started targeting Raspberry Pi. The trojan is designed to hit single-board computers to mine cryptocurrencies.
Security researchers from Dr. Web have revealed the existence of the Linux.MulDrop.14 trojan in a blog post. The trojan is basically described as a bash script that contains a mining program. The attackers have smartly encrypted the trojan with base64 and compressed with gzip. Also, the trojan force shutdowns several processes and installs infected libraries required for its operation.
“The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software,” Dr. Web researchers write in a blog post.
Although the Linux trojan is designed to mine cryptocurrencies, Bitcoin is notably not included in the list. Mining Bitcoin would require more computational power than what Raspberry Pi can offer. On the other hand, other digital currencies like Monero, Dogecoins and Litecoins need less power. They can thus be exploited using a small malware like Linux.MulDrop.14.
Once the trojan is installed, it brings together zmap and sshpass. The password of “pi” user is automatically changed to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxP”.
Using sshpass, the trojan looks for an open port 22 to log in with the changed password. It also smartly uses zmap to save and run the copy of the malicious code in the infinite loop.