Hackers found using cryptocurrency-mining bot to target IoT devices via financial scam site

• Cryptomining bot targets IoT devices with a running SSH service.
• The cryptomining bot can load miners on Linux.

Internet of Things (IoT) devices, with their expanding pool of machines, increasing popularity and trove of vulnerabilities, have been prime targets for hackers. Since the emergence of the proliferate Mirai botnet, attackers have increasingly targeted IoT devices to launch attacks that earn them a quick buck. Security researchers have uncovered that hackers are now targeting IoT devices to mine for cryptocurrency.

Hackers have been found using a cryptocurrency mining bot to target connected devices with a running secure shell (SSH) service. The bot searches for connected devices that have an open Remote Desktop Protocol (RDP) port, which can allow hackers the ability to take advantage of vulnerable devices.

“This particular bot is able to load miners on Linux, and it even has a persistence mechanism added in its installer script so that it’s able to add a service to the crontab, a configuration file where periodically run commands are specified,” Trend Micro researchers, who discovered the campaign, wrote in a blog.

Cryptominer connected to a financial scam site

Researchers also found that the bot attempts to download a script, which in turn installs a malware into the infected system. The site from which the script attempts to download the malicious files appears to be a financial scam site.

“Judging from the attacker’s behavior, the first URL could be used only as a jumping-off point,” Trend Micro researchers added. “This means that if the link is blocked, the attacker can just switch to another domain to continue operations without losing the potential scam site itself.”

Victims are tricked into installing the miner using social engineering techniques. The miner directly funds Monero and Ethereum into the scam site, which has been designed to appear as a regular site. However, the site contains a blog and a video tutorial that details how mining operations can be facilitated.

According to Trend Micro researchers, this kind of campaign that targets IoT devices to mine for cryptocurrencies, is not new.

“Using botnets is perhaps one of the most prevalent ways for attackers looking into abusing the IoT for their own gain (for cryptocurrency mining, in this example),” the researchers noted. “A single compromised device may not be powerful enough, but when the malware is spread in a bot-enabled fashion, an army of mining zombies might just prove lucrative down the road.”