Reading Time: 2 minutes

Crooks are infecting user’s devices via a cryptocurrency miner leveraging rootkit to bypass detection mechanisms.

Crooks continuing to leverage crypto malware as a privileged choice to attack victim’s devices and get virtual money for your own profit.

This type of malware is easily detected due to the saturation of the device resources, nonetheless, experts from Trend Micro have noted a new variant — a new crypto miner that leverages a rootkit component to hide its presence.

Although the victim’s device is slow, the user will not be able to identify what process is causing the over processing.

“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” reads the report published by TrendMicro. 

“It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”

 

Experts speculate that the infection vector can be related to an unofficial or compromised plugin such as a media-streaming software.

When installed in the victim’s device, the trojan downloader, Trojan.Linux.DLOADER.THAOOAAK, will download a file from Pastebin that is a shell script. The file is stored as  /bin/httpdnsand a scheduled task is created to run  /bin/httpdns every hour. At the time of execution, the malware contains a shell script that connects and downloads another base64 encoded text file.

The process will allow to download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide its presence.

However, the malware has a weakness. Experts pointed out that when the rootkit is not installed, users easily detect the malicious process using 100% of the CPU.

Next, some images present how the malware process is hidden by the rootkit.

 

Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.

“The rootkit component of the cryptocurrency-mining malware is a slightly modified/repurposed version of a publicly available code. Upon installation, all processes named “kworkerds” will be invisible to process monitoring tools.” concludes the report.
“While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. “

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks.  He is also Freelance Writer.

Read more here.