Linux malware turns Raspberry Pi into a bot for cryptocurrency mining

Linux.MulDrop.14 is a Linux worm that searches for Raspberry Pi network systems whose default root password has not been changed, and after infiltrating them and obtaining ZMap and sshpass, it begins mining an unspecified cryptocurrency. In this way, the infected Raspberry Pi will become a source of revenue for the creator of this Linux worm.

Experts say that initial infection will occur when Raspberry Pi operators keep their devices’ SSH ports and external connections open.

After a Raspberry Pi-based device is affected by Linux Maldrop 14, the malware changes the default password for the “pi” user account to the following:

\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1

 

In the next step, Linux Maldrop 14 terminates several active processes on the Raspberry Pi and installs the libraries needed to perform its activities. These libraries include ZMap and sshpass.

The Linux malware in question in this step starts the cryptocurrency mining process and continuously searches for other devices with open SSH ports using ZMap.

After finding new devices, the malware attempts to infiltrate using sshpass, with the username pi and the default password raspberry. It should be noted that the aforementioned username and password are the only information used to infiltrate the Maldrop 14 Linux malware into Raspberry Pi-based computers.

Thus, to prevent infection with this malware, the best thing to do is to change the default SSH password on the Raspberry Pi.