2 min Security

Mining malware switches from Arm-IoT to Intel servers

Mining malware switches from Arm-IoT to Intel servers

A mining malware previously only seen on Arm-controlled Internet or Things (IoT) devices has made the switch to Intel systems. That’s what security investigator Larry Cashdollar of Akamai discovered.

Cashdollar states that one of its honeypot systems has recently discovered an IoT malware that seems to target Intel machines running Linux. I suspect that it is a derivative of other IoT crypto mining botnets, according to the researcher opposite The Register. This one seems to be targeting enterprise systems.

The malware is tuned to Intel x86 and 686 processors. It seems to set up an SSH Port 22 connection and deliver itself as a gzip archive. The malware then checks if the machine is already infected or if there is an older version running that needs to be closed.

Three directories

If all this is not the case, the malware will create three different directories, with different versions of the same file.

Each directory contains a variation of the XMrig v2.14.1 cryptocurrency mineral in 32 bit or 64 bit format, according to Cashdollar. Some binaries are named after common Unix tools, hoping to be unnoticeable in a normal process list.

The malware then installs the cryptographic currency mine-mining tool itself. It also adjusts the system’s crontab file to keep the malware running after a reboot. Finally, the malware installs a shell script, which allows it to talk to the command and control server.


It seems that the hackers have entered a new market to expand their mining operations. When there were no new Arm and MIPS-controlled devices, they started looking for Intel systems that accept files via SSH port 22.

Criminals continue to use unsecured resources to make money in every way they can, says Cashdollar. System administrators should apply security best practices to the systems they manage.

The security researcher points out that unsecured services with unpatched vulnerabilities and weak passwords are the main targets for abuse.