Internet of Things (IoT) devices with hardcoded default login credentials are being targeted by a newly discovered Linux malware, security researchers warn.
Dubbed NyaDrop, the new Linux threat was spotted in some attacks almost half a year ago, but it wasn’t well-built and couldn’t successfully infect devices, a Malware Must Die post reveals. Recently the malware resurfaced with a series of improvements, in better-choreographed attacks.
The main driver for these attacks, security researcher unixfreaxjp says, is represented by known factory hardcoded default login credentials, a flaw that IoT devices were long said to be impacted by (the Mirai botnet has proven how easily these devices can be ensnared). The malware is targeting the vulnerable routers and similar networking devices based on the MIPS CPU architecture.
Just as other IoT malware out there, NyaDrop is spreading via brute-force attacks that leverage easy-to-guess credentials and which have a Russian IP address as source. The threat actor is believed to focus more on keeping the distribution of this malware under the radar than on spreading the infection fast. Thus, the actor attacks only specific IP targets per session and also stops previous attacks, though they return to previous failed attempts in a slow rotation.
The security researcher believes that the attacker is intentionally aiming at MIPS devices, by checking CPU info, and is avoiding ARM and PPC devices. Once the vulnerable machine has been successfully breached, the NyaDrop malware is dropped onto it.
The threat is a Linux backdoor and dropper that opens an Internet socket (AF_INET) on the infected host to remotely connect to the attacker’s server to receive any Linux executable that should be used to further infect the machine. The received data is saved as a “nya” ELF malware file and is executed by Linux/NyaDrop with its permission privilege on the targeted device.
Each time new attacks are successfully logged into the MIPS machine, the “nya” file is deleted and then the “nya” malware is updated, which allows the attacker to easily keep the botnet component up to date. If attacks aren’t successful, the “nyadrop” (the malware’s executable) and “nya” binaries aren’t saved, which should prevent detection.
The malware’s executable is a small, clean libc compiled ELF coded in C, the researcher reveals. Despite being small, however, the file packs a punch. What’s worse is the fact that detection is very low, and the security researcher notes that hash-based signature detection would almost certainly fail, because NyaDrop’s nature of infection will result in multiple hashes being created.
Related: Weak Credentials Fuel IoT Botnets