Malware

Linux.Lady, a Go-based Linux Trojan that mines cryptocurrency

Russian antivirus company Doctor Web discovered a new Linux Trojan dubbed Linux.Lady that is used by crooks to mine cryptocurrency.

According to a new report published by the antivirus company Doctor Web, a Go-Based Linux Trojan, Dubbed Linux.Lady.1, is exploited by cyber criminals for cryptocurrency mining.

“Doctor Web analysts have detected and examined a new Linux Trojan which is able to run a cryptocurrency mining program on an infected computer. Its key feature lies in the fact that it is written in Go, a language developed by Google.” states the report published by Doctor Web.

The Linux.Lady Linux Trojan is written in Google’s Go programming language and it uses various libraries that are available on GitHub. Go was introduced by Google in 2009, the use of the Go programming language to develop a malicious code is not a novelty, it was first used with the intent of creating malware in 2012 despite it isn’t so popular in the vxer community.

When the Linux.Lady infects a system, it gathers  information on the system, including the Linux operating system version, the number of CPUs and processes.

Once collected info on the infected host, the malware sent it back to a command and control (C&C) server, which in turn provides a configuration file for downloading a cryptocurrency mining application.

The sample of Linux.Lady analyzed by Doctor Web was mining a cryptocurrency named Monero.

Another interesting feature implemented in the Linux.Lady allows the malware to spread to other Linux computers on the infected network.

“The Trojan receives a configuration file containing information necessary for the Trojan’s operation. Then it downloads and launches a cryptocurrency mining program. The malware determines an external IP address of the infected computer using special websites specified in the configuration file.” states the report on the threat. “The Trojan then calculates the mask of the subnet External_ip\8 (mask is 255.0.0.0) and tries to connect to the remote hosts via port 6379 (redis) without entering a password. If the connection is established, Linux.Lady.1 opens the URL specified in the configuration file, downloads a script detected as Linux.DownLoader.196, and adds it to the cron scheduler of the infected computer:”

 

In the past other Linux malware were discovered by the experts at Doctor Web, including the Encoder ransomware and the Ekoms malware.

Mining activities are a profitable business for cyber criminals that exploits victims’ computational resources to make money.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux.Lady, Linux)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.