Linux.Lady, a Go-based Linux Trojan that mines cryptocurrency

Pierluigi Paganini August 10, 2016

Russian antivirus company Doctor Web discovered a new Linux Trojan dubbed Linux.Lady that is used by crooks to mine cryptocurrency.

According to a new report published by the antivirus company Doctor Web, a Go-Based Linux Trojan, Dubbed Linux.Lady.1, is exploited by cyber criminals for cryptocurrency mining.

“Doctor Web analysts have detected and examined a new Linux Trojan which is able to run a cryptocurrency mining program on an infected computer. Its key feature lies in the fact that it is written in Go, a language developed by Google.” states the report published by Doctor Web.

The Linux.Lady Linux Trojan is written in Google’s Go programming language and it uses various libraries that are available on GitHub. Go was introduced by Google in 2009, the use of the Go programming language to develop a malicious code is not a novelty, it was first used with the intent of creating malware in 2012 despite it isn’t so popular in the vxer community.

When the Linux.Lady infects a system, it gathers  information on the system, including the Linux operating system version, the number of CPUs and processes.

Once collected info on the infected host, the malware sent it back to a command and control (C&C) server, which in turn provides a configuration file for downloading a cryptocurrency mining application.

The sample of Linux.Lady analyzed by Doctor Web was mining a cryptocurrency named Monero.

Linux.lady malware

Another interesting feature implemented in the Linux.Lady allows the malware to spread to other Linux computers on the infected network.

“The Trojan receives a configuration file containing information necessary for the Trojan’s operation. Then it downloads and launches a cryptocurrency mining program. The malware determines an external IP address of the infected computer using special websites specified in the configuration file.” states the report on the threat. “The Trojan then calculates the mask of the subnet External_ip\8 (mask is and tries to connect to the remote hosts via port 6379 (redis) without entering a password. If the connection is established, Linux.Lady.1 opens the URL specified in the configuration file, downloads a script detected as Linux.DownLoader.196, and adds it to the cron scheduler of the infected computer:”


In the past other Linux malware were discovered by the experts at Doctor Web, including the Encoder ransomware and the Ekoms malware.

Mining activities are a profitable business for cyber criminals that exploits victims’ computational resources to make money.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux.Lady, Linux)

you might also like

leave a comment