Experts found a new powerful modular Linux cryptominer

Security experts from Russian antivirus firm Dr.Web have discovered a new strain of Linux cryptominer tracked as Linux.BtcMine.174.

The Linux cryptominer has a multicomponent structure that implements a broad range of features in over 1,000 lines of code.

When the Monero Linux cryptominer is first executed it checks whether the server, from which the Trojan will subsequently download additional modules, is available.

Then it finds a folder on disk to which it has write permissions so it can copy itself and use it as a repository for the downloading of additional modules.

The Linux.BtcMine.174 Linux cryptominer uses one of two privilege escalation exploits CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 to get root permissions on the infected system.

The Linux miner also adds itself as an autorun entry to files like /etc/rc.local, /etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.

“If the script is not run with /sbin/init, the following actions are performed:

The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package). ” Reads the analysis published by Dr. Web.

Once the malware has infected the Linux system, it will scan and terminate the processes of several miners, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.). Experts also discovered that the Trojan also kill antivirus software, including Avast, AVG, Dr.Web and ESET.

Then the Linux.BtcMine.174. downloads and starts its own Monero-mining operation.

The Linux malware also downloads another Trojan, tracked as Linux.BackDoor.Gates.9 that implements backdoor features and allows to carry out DDoS attacks.

Linux.BtcMine.174 also downloads and executes with the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

The Trojan also collects data for all the hosts to which the current user has previously connected via SSH and tries to connect them.

Experts believe the malware is spreading using SSH credentials stolen on the infected systems.

Additional technical details are included in the report published by Dr.Web, the experts also published SHA1 hashes for the various components of the malware on GitHub.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux cryptominer, Linux.BtcMine.174)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.