Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.
The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.
“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.
“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”
Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.
According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a
The crontab file allows to launch a second stage that implements the following three functions:
The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.
Compared to the original KORKERDS
“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.
Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.