It has been a while since we last saw a new malware threat in the form of a cryptocurrency miner. Do not be mistaken in thinking cybercriminals have given up on the idea, though. A new cryptocurrency mining malware referred to as Linux.BTCMine.26 is actively distributed to Linux computers using default Telnet credentials. Unlike what the name suggests, it does not mine Bitcoin but is more interested in Monero. Additionally, it only targets X86-64 and ARM hardware-based devices.

Yet Another BTCMine Malware Variant

People who have kept tabs on the cryptocurrency mining malware scene may recognize the BTCMine name. It is neither the first nor the last time this name will be associated with nefarious tools designed to use other people’s device resources and mine cryptocurrency. With Bitcoin mining becoming extremely unprofitable without the use of specific hardware, there are other currencies which can still be mined with relative ease. One of those currencies is Monero, an altcoin which recently surged in value after weeks of sideways trading action.

The new mining malware was discovered earlier this week. It appears to be mainly targeting Linux servers and computers, which is not entirely unusual. While the Linux operating system has been pretty safe from cybercriminal activity the past few years, things are very different when it comes to cryptocurrency mining malware. Several types have targeted Linux users over the past few months and it looks like things will not be changing anytime soon. Linux.BTCMine.26 searches for Linux devices which use default or blank Telnet credentials to establish a connection.

One would be surprised by how many Linux device users do not take Telnet security seriously. Operators often fail to make changes to the default settings, which is never a good course of action. The malware has a built-in Telnet scanner similar to the one found in the Mirai malware. For now, this scanner will only seek out IPv4 addresses, although IPv6 support may be added in the future. Once it finds a susceptible IP address, it will attempt to log in through a Telnet connection. Assuming this connection is made successfully, the malware will execute commands to download the BTCMine binary in question.

This malware’s source code has many references to Brian Krebs, one of the industry leaders when it comes to infosec. There is a war going on between infosec journalists and cybercriminals, and calling out one another has become somewhat of the norm over the years. The code also reveals that the malware uses the Minergate XMR pool to successfully mine the cryptocurrency using the username “catsmeowalot@cock.li.” It is doubtful the pool could do anything about this, as the criminals would easily create a new username within seconds.

Sadly, this is yet another example of how cybercriminals are targeting cryptocurrency in one way or another. Some efforts focus on stealing wallets and phishing scams, whereas others just use computer resources to mine currencies such as Monero and ZCash. We will assuredly see other mining malware types emerge over the coming months, not all of which will only be native to the Linux operating system.

Cybercriminals still have a lot of love for cryptocurrencies in general. Monero is a far more anonymous solution compared to Bitcoin. This does not mean Monero is a perfect tool for criminals by any means, even though it is not hard to see why they would prefer to mine it than Bitcoin. It will be interesting to see how this situation evolves in the coming months and years. Until users start taking device security more seriously, malware types such as this one will always be somewhat successful.