Security analysts have recently discovered a sample of the Linux crypto-mining malware that is responsible for destroying any other malicious miners upon installation. The Trend Micro analysts spotted the malware while conducting their regular log check after finding a script within one of their honeypots that started downloading a binary connected to a domain.
The binary was later discovered to be a modified version of the XMR-Stak cryptocurrency miner. That script did not stop just at downloading the sample of Linux malware that was identified as Coinminer.Linux.MALXMR.UWEIU by Trend Micro. It continued to eliminate several other crypto-mining malware together with the related services affecting the machine during the entire time of infection.
Moreover, the malware also developed new directories and files and concurrently stopped processes that shared any connections with known IP addresses.
The similarity to other threats
While studying the Coinminer.Linux.MALXMR.UWEIU malware, the experts discovered that the malware’s script shares various attributes with several other threats it formerly detected. Particularly, the researchers found likeliness between the malicious coin miner and Xbash.
Xbash is a malware family that was discovered in September 2018 that combines cryptocurrency mining, ransomware, worm, and scanner capabilities in its attacks against Windows and Linux servers. The threat’s code is almost similar to that of KORKERDS that was discovered in November 2018. However, there are a few notable differences.
The newly discovered script simplified the routine that KORKERDS uses to download and execute files and how it loads the Linux coin malware sample. Also, it never uninstalled security solutions from or attempt to install a rootkit on the infected machine. On the contrary, the script’s kill list majorly focused on both KORKERDS and its rootkit component.
Thus, it may suggest that the developers and coders of the script are trying to maximize their profits while simultaneously competing with the KORKERDS authors.
Strengthen your defenses
Security professionals can use an endpoint management and security platform that has the capabilities of monitoring all endpoints for suspicious behaviour to defend against Linux crypto-mining malware. Also, organizations should invest in security information and event management (SIEM) tools.
These tools can alert security teams of high graphics processing unit (GPU) and central processing unit (CPU) usage during non-business hours. Any high usage is a dependable primary indicator of cryptocurrency mining activities.