Home / malwarePDF  


First posted on 27 October 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Linux/IoTReaper.

Explanation :


Connects to remote server

The threat regularly connects to a C2 server, and can receive and run Lua scripts provided from the server. It uses a built-in Lua execution engine, and can open SMTP, FTP, and HTTP connections.

It could potentially perform the following actions:

  • Send spam messages
  • Perform denial of service (DOS) attacks
  • Search for other vulnerable devices on the Internet

It can also send information about the device to a server, including information such as:
  • MAC address
  • Software version of the device
We have seen it attempt to connect to:
  • hxxp://38[.]27[.]102[.]18:8012/api/api[.]php
  • hxxp://bbk80[.]com/api/api[.]php

Exploits IoT devices to steal credentials

This malware has components that can be used to exploit IoT devices. These exploits can be used to obtain the login credentials of these devices, including CVE-2017-8225.

Last update 27 October 2017