Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Linux Cryptocurrency miner leverages rootkit to avoid detection

Researchers from Trend Micro spotted a new cryptocurrency miner that leverages a rootkit component to hide its presence on the infected systems. Cryptocurrency malware continues to be a privileged choice for crooks and the number of victims is rapidly growing. Cryptocurrency miners are easy to detect due to the saturation of resources on the affected […]

Linux Cryptocurrency miner leverages rootkit to avoid detection

Researchers from Trend Micro spotted a new cryptocurrency miner that leverages a rootkit component to hide its presence on the infected systems.

Cryptocurrency malware continues to be a privileged choice for crooks and the number of victims is rapidly growing.

Cryptocurrency miners are easy to detect due to the saturation of resources on the affected systems, but experts from Trend Micro spotted a new miner that leverages a rootkit component to hide its presence.

Even if the malware slows down infected systems abusing of their resources, the administrators will not be able to detect what process is causing it.

“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” reads the report published by TrendMicro. 

“It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”

The experts speculate that the infection vector could be an unofficial or compromised plugin such as a media-streaming software.

 

 

Once installed the initial executable (Trojan.Linux.DLOADER.THAOOAAK) will download a file from Pastebin that is a shell script. The file is saved as /bin/httpdns and a scheduled task is created to run /bin/httpdns every hour. The shell script is executed. /bin/httpdns contains a shell script that connects and downloads another base64-encoded text file.

The process will allow to download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide its presence.

Linux cryptocurrency miner rootkit

Experts pointed out that when the rootkit is not installed, administrators can easily detect the malicious process utilizing 100% of the CPU.

The following images show how the miner process is hidden by the rootkit.

Linux cryptocurrency miner rootkit

Linux cryptocurrency miner rootkit

Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.

“The rootkit component of the cryptocurrency-mining malware is a slightly modified/repurposed version of a publicly available code. Upon installation, all processes named “kworkerds” will be invisible to process monitoring tools.” concludes the report.
“While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. “
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux cryptocurrency miner, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]