I have been playing close attention to Internet of Things (IoT) malware targeting systems with Telnet enabled, while also collecting samples targeting systems with SSH enabled on port 22. I’ve collected over 650 samples landing in my honeypot within the last week. The earliest sample showed up on July 24th at 20:06. The honeypot allows logins using known default login credentials for root.
The malware is uploaded as gzip compressed tarball archives of binaries, scripts, and libraries. The libraries reside under the directory c/lib I thought it would be required to run the binaries in the tarball, but the binaries are compiled statically, so the libraries are extraneous.