A Linux Trojan that has been infecting IoT devices for half a year and made them run a SOCKS proxy server has now acquired spam-sending capabilities.
Doctor Web virus analysts first documented Linux.ProxyM back in February 2017, and posited that cybercriminals use this Trojan to ensure online anonymity. With the latest upgrade, they can also earn money by sending out spam.
“Two builds of this Trojan exist for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. In other words, Linux.ProxyM can operate on almost any Linux device, including routers, set-top boxes, and other equipment,” they shared.
Once a device is infected, it connects to a C&C server and downloads from it the addresses of two Internet nodes: the first provides a list of logins and passwords, and the second is required for the SOCKS proxy server to operate.
It also receives a command that contains an SMTP server address, the login and password used to access it, a list of email addresses, and a message template (typically adult content spam). On average, each device sends out 400 of these emails per day.
The number of infected devices changed over the months. The total at any given time is unknown, as Doctor Web analysts only monitor some of them and the malware is capable of detecting honeypots (i.e. hiding from malware researchers).
Based on attacks launched during the past 30 days, a considerable percentage of infected devices is located in Brazil and the US:
“The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that,” the researchers noted.
“We can presume that the range of functions implemented by Linux Trojans will be expanded in the future.”