A cryptocurrency mining malware strikes again: the malware referred to as Linux.BTCMine.26 is actively distributed to Linux computers using default Telnet credentials. Despite its name, it does not mine Bitcoin but is interested in Monero, an altcoin which has recently surged in value after weeks of sideways trading action. Additionally, it only targets X86-64 and ARM hardware-based devices.
How it works?
The Linux.BtcMine.26 distribution scheme is pretty similar to the mechanism for infecting of Mirai. Thus, Linux.BtcMine.26 has a built-in Telnet scanner similar to the one found in the Mirai malware. For now, this scanner will only seek out IPv4 addresses, although IPv6 support may be added in the future. Once it finds a susceptible IP address, it will attempt to log in through a Telnet connection. Assuming this connection is made successfully, the malware will execute commands to download the BTCMine binary in question, themerkle.com reports.
Linux.BTCMine.26 mining malware code
It's noteworthy, that the malware’s source code has many references to Brian Krebs, one of the industry leaders when it comes to infosec, as seems like there's a war going on between infosec journalists and cybercriminals. The code also reveals that the malware uses the Minergate XMR pool to successfully mine the cryptocurrency.