Linux Trojan Using Hacked IoT Devices to Send Spam Emails

Posted by on



Botnets, like Mirai, that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings.
New research conducted by Russian security firm Doctor Web has revealedthat a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money.
The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers.
Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.

Here's How this Linux Trojan Works:

Once infected with Linux.ProxyM, the device connects to a command and control (C&C) server and downloads the addresses of two Internet nodes:
  • The first provides a list of logins and passwords
  • The second one is needed for the SOCKS proxy server to operate
The C&C server also sends a command containing an SMTP server address, the credentials used to access it, a list of email addresses, and a message template, which contains advertising for various adult-content sites.
A typical email sent using devices infected with this Trojan contains a message that reads:
Subject: Kendra asked if you like hipster girls A new girl is waiting to meet you. And she is a hottie! Go here to see if you want to date this hottie (Copy and paste the link to your browser) http://whi*******today.com/ Check out sexy dating profiles There are a LOT of hotties waiting to meet you if we are being honest!
On an average, each infected device sends out 400 of such emails per day.
Although the total number of devices infected with this Trojan is unknown, Doctor Web analysts believe the number changed over the months.
According to the Linux.ProxyM attacks launched during the past 30 days, the majority of infected devices is located in Brazil and the US, followed by Russia, India, Mexico, Italy, Turkey, Poland, France and Argentina.
"We can presume that the range of functions implemented by Linux Trojans will be expanded in the future," Dr Web researchers say. 
"The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that."

Join our telegram channel
Back to home page

Comments

Post a Comment