A trojan thought to have died out resurfaced with new attacks and a new and improved version, launching new attacks on routers running Linux-based firmware located in India's cyber-space.

Linux.PNScan appeared online in August 2015, when Dr.Web first reported on two variants, which were later seen attacking routers in late September of the same year.

First Linux.PNScan versions targeted ARM, MIPs, or PowerPC architectures

Based on analysis from Dr.Web and security researcher MalwareMustDie!, we know that Linux.PNScan is an ELF binary that targets routers running on ARM, MIPs, or PowerPC architectures.

The trojan was used mainly for DDoS attacks, supporting ACK, SYN, and UDP packet floods. Additionally, PNScan included worm-like features, with the ability to spread to other routers that were also using Linux-based firmware.

Linux.PNScan.1 used dictionary-based attacks in its attempts to brute-force other devices, while Linux.PNScan.2 used only three username - password combos: root/root; admin/admin; and ubnt/ubnt.

New version resurfaces with x86 support, attacks in India

Attacks with this trojan have slowly died down after the initial detection, but according to MalwareMustDie!, the trojan received an update, allowing it to also target Linux routers running on the more popular x86 (i86) architecture.

Since then, Linux.PNScan has made a comeback, being deployed in attacks in the past six months.

"I thought the threat is becoming inactive now and it looks like I'm wrong," says MalwareMustDie!. "The malware [...] is hardcoded to aim [at the] 183.83.0.0/16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted."

Based on the features detected by MalwareMustDie!, this seems to be an evolution of Linux.PNScan.2, since it continues to use only three set of admin credentials when brute-forcing other nearby routers, and not a dictionary attack.

Detecting infected routers is a little bit tricky, but PNScan creates a series of files on compromised devices, as listed below:

permission size date filename function

----------------------------------------------------------------

-rw-r--r-- 387 Aug 23 12:06 list2 <-- connected hosts

-rw-r--r-- 4 Aug 23 12:02 MalwareFile.pid <-- pids

-rw-r--r-- 0 Aug 23 12:02 daemon.log <-- malware log

-rw-r--r-- 35 Aug 23 12:02 login2 <-- brute auth

drwxr-xr-x 4096 Aug 23 12:02 files/ <-- updates/downloads