Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



NyaDrop Backdoor and Dropper Targets IoT Devices

Internet of Things (IoT) devices with hardcoded default login credentials are being targeted by a newly discovered Linux malware, security researchers warn.

Internet of Things (IoT) devices with hardcoded default login credentials are being targeted by a newly discovered Linux malware, security researchers warn.

Dubbed NyaDrop, the new Linux threat was spotted in some attacks almost half a year ago, but it wasn’t well-built and couldn’t successfully infect devices, a Malware Must Die post reveals. Recently the malware resurfaced with a series of improvements, in better-choreographed attacks.

The main driver for these attacks, security researcher unixfreaxjp says, is represented by known factory hardcoded default login credentials, a flaw that IoT devices were long said to be impacted by (the Mirai botnet has proven how easily these devices can be ensnared). The malware is targeting the vulnerable routers and similar networking devices based on the MIPS CPU architecture.

Just as other IoT malware out there, NyaDrop is spreading via brute-force attacks that leverage easy-to-guess credentials and which have a Russian IP address as source. The threat actor is believed to focus more on keeping the distribution of this malware under the radar than on spreading the infection fast. Thus, the actor attacks only specific IP targets per session and also stops previous attacks, though they return to previous failed attempts in a slow rotation.

The security researcher believes that the attacker is intentionally aiming at MIPS devices, by checking CPU info, and is avoiding ARM and PPC devices. Once the vulnerable machine has been successfully breached, the NyaDrop malware is dropped onto it.

The threat is a Linux backdoor and dropper that opens an Internet socket (AF_INET) on the infected host to remotely connect to the attacker’s server to receive any Linux executable that should be used to further infect the machine. The received data is saved as a “nya” ELF malware file and is executed by Linux/NyaDrop with its permission privilege on the targeted device.

Each time new attacks are successfully logged into the MIPS machine, the “nya” file is deleted and then the “nya” malware is updated, which allows the attacker to easily keep the botnet component up to date. If attacks aren’t successful, the “nyadrop” (the malware’s executable) and “nya” binaries aren’t saved, which should prevent detection.

The malware’s executable is a small, clean libc compiled ELF coded in C, the researcher reveals. Despite being small, however, the file packs a punch. What’s worse is the fact that detection is very low, and the security researcher notes that hash-based signature detection would almost certainly fail, because NyaDrop’s nature of infection will result in multiple hashes being created.

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling: How Being Connected Makes Us Insecure

Related: Attackers Use Decade-Old Flaw to Target IoT Devices 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet