A malware author has created a new cryptocurrency miner that infects Linux devices that use open or default Telnet credentials.
This new trojan — detected by Dr.Web under the name
Linux.BTCMine.26 (BTCMine in the rest of this article) — mines for the Monero cryptocurrency and targets only the x86-64 and ARM hardware architectures.
Miner infects Linux devices via unsecured Telnet ports
Researchers say the trojan uses a Telnet scanner similar to the one deployed by the Mirai IoT malware. BTCMine will scan random IPv4 addresses and attempt to connect via the Telnet port.
If the port is open or the user employs one of many known default credentials, the malware connects and runs commands to download and run the actual BTCMine binary.
The trojan stood out in the eyes of Dr.Web researchers because of the many references to
krebsonsecurity.com, the personal blog of infosec investigative journalist Brian Krebs.
This is not the first malware to reference Krebs or his blog, both very popular both among security researchers and malware authors alike. In recent years, it's become quite commonplace for malware developers to insult or give Krebs a shout out in their code.
