There’s a new Linux Trojan, dubbed Linux/NyaDrop, and it’s already reverse engineered by MalwareMustDie. This is in fact the same researcher that discovered Mirai. The Mirai IoT botnet was used in multiple attacks and had a global infection rate. The appearance of a new Linux malware may be explained with the fact that Mirai source code was leaked not too long ago.
More about Linux/NyaDrop
MalwareMustDie’s research indicates that Linux/NyaDrop was used in brute-force attacks on Telnet ports, Softpedia reports. Initially, the malware was rather simplistic, but its code has progressed since the DDoS attacks on KrebsOnSecurity. The malware operator(s) must have been lured by the success of the Mirai IoT botnet.
Similarly to the average IoT malware, NyaDrop attacks are based on brute-forcing Internet-connected IoT devices via their default credentials.
The Trojan is quite small in size and that’s because it’s a dropper. A dropper is a piece of malware only deployed to download other malware onto a system. This is perhaps the first time researchers come across IoT malware that uses a dropper. Droppers are a common practice for desktop malware and are a typical part of the average malware attack.
Why NyaDrop? The name comes from the actual malware that may be dropped – an ELF binary dubbed “nya”.
As for a successful malware infection, the researcher gives the following explanation:
The successfully installed malware file in the MIPS system is the Linux malware backdoor and dropper, I call it as ELF Linux/NyaDrop malware, with the function to open an internet socket(AF_INET) to remotely connect to the remote host for receiving data of any Linux executable stream intended to infect the previously Linux/NyaDrop compromised machine.
When the infection is successful, NyaDrop will open a backdoor and download Nya Trojan but only if the IoT device uses a MIPS 32-bit architecture for its CPU. MIPS-based CPUs are typical for devices like routers, DVRs, CCTV cameras, embedded systems in general.
The worst part is that yet-to-be-released versions of NyaDrop can be deployed in a range of malicious scenarios. For one, new payloads can be downloaded on the infected devices. The new malware can be used to initiate DDoS attacks or can be used as proxies for web traffic, thus concealing the attacker’s actual location.
All these “tricks” employed by the creator of NyaDrop reveal a well-thought agenda. The hacker is doing whatever they can not to get caught. In addition, NyaDrop can even detect honeypot environments. The execution of the malware will be stopped if such an environment is detected. The malware author has also taken care of the way NyaDrop is spread around. That’s why MalwareMustDie says that he’s lucky to have “acquired” a sample for the purpose of reverse engineering.
More technical details