Crooks continuing to leverage crypto malware as a privileged choice to attack victim’s devices and get virtual money for your own profit.
This type of malware is easily detected due to the saturation of the device resources, nonetheless, experts from Trend Micro have noted a new variant — a new crypto miner that leverages a rootkit component to hide its presence.
Although the victim’s device is slow, the user will not be able to identify what process is causing the over processing.
“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” reads the report published by TrendMicro.
“It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”
Experts speculate that the infection vector can be related to an unofficial or compromised plugin such as a media-streaming software.
When installed in the victim’s device, the trojan downloader, Trojan.Linux.DLOADER.THAOOAAK, will download a file from Pastebin that is a shell script. The file is stored as /bin/httpdnsand a scheduled task is created to run /bin/httpdns every hour. At the time of execution, the malware contains a shell script that connects and downloads another base64 encoded text file.
The process will allow to download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide its presence.
However, the malware has a weakness. Experts pointed out that when the rootkit is not installed, users easily detect the malicious process using 100% of the CPU.
Next, some images present how the malware process is hidden by the rootkit.
Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.
“While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. “
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.