Linux Trojan Using Hacked IoT Devices to Send Spam Emails
Botnets, like Mirai, that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings.

New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money.

The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers.

Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.

Here's How this Linux Trojan Works:

Once infected with Linux.ProxyM, the device connects to a command and control (C&C) server and downloads the addresses of two Internet nodes:

  • The first provides a list of logins and passwords
  • The second one is needed for the SOCKS proxy server to operate

The C&C server also sends a command containing an SMTP server address, the credentials used to access it, a list of email addresses, and a message template, which contains advertising for various adult-content sites.

A typical email sent using devices infected with this Trojan contains a message that reads:

Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you.
And she is a hottie!
Go here to see if you want to date this hottie
(Copy and paste the link to your browser)
Check out sexy dating profiles
There are a LOT of hotties waiting to meet you if we are being honest!

On an average, each infected device sends out 400 of such emails per day.

Although the total number of devices infected with this Trojan is unknown, Doctor Web analysts believe the number changed over the months.

According to the Linux.ProxyM attacks launched during the past 30 days, the majority of infected devices is located in Brazil and the US, followed by Russia, India, Mexico, Italy, Turkey, Poland, France and Argentina.
"We can presume that the range of functions implemented by Linux Trojans will be expanded in the future," Dr Web researchers say.
"The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that."
In order to protect your smart devices from getting hacked, you can head on to this article: How to Protect All Your Internet-Connected Home Devices From Hackers.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.