Pierluigi Paganini February 10, 2019

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

• Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
• Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
• Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

[adrotate banner=”5″] [adrotate banner=”13″]