Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
New Crypto-Miner Attacks Linux Machines, Kills Other Miners and Anti-Malware
#1
https://news.softpedia.com/news/new-cryp...3958.shtml         New Crypto-Miner Attacks Linux Machines, Kills Other Miners and Anti-Malware

Self-propagates to other network devices using SSH
Nov 23, 2018 21:44 GMT  ·  By Sergiu Gatlan        The Russian Dr.Web anti-malware maker discovered a new Linux threat embodied by a Trojan designed to work as a crypto-miner and as a dropper for some other nasty malware payloads such as DDoS backdoors and rootkits.

The new Trojan strain named Linux.BtcMine.174 by the Dr.Web team is a heavy 1,000-line shell script which comes with multiple modules that it will download and write to any folder with write permissions on the infiltrated Linux box.

Once it has managed to dump the extra malware payloads on the compromised machine, Linux.BtcMine.174 will use the nohup POSIX utility to launch itself as a daemon, redirecting its output to a nohup.out file to make detection more difficult.

After installing itself as a service, the Trojan downloads a Linux.BackDoor.Gates.9 Trojan payload that makes it possible for its masters to control the compromised machine and use it to execute DDoS attacks.

Because after compromising its Linux targets the Trojan is running under the privileges of the current user, almost never an administrator account, Linux.BtcMine.174 uses exploits such as Linux.Exploit.CVE-2016-5195 (known as DirtyCow) and Linux.Exploit.CVE-2013-2094 to escalate its privileges and completely take over the Linux machine.

As soon as it gets root privileges on the infected device, starts hunting for any AntiMalware solutions, killing their processes when found and going even further by completely uninstalling them using a package manager.

Linux.BtcMine.174 also steals root passwords and auto-propagates itself via SSH
The Trojan will also hunt down any crypto miners it can find running on the machine, terminating their processes on sight to avoid sharing the system's computing resources. Once it's done "cleaning" the device of any mining competitors, Linux.BtcMine.174 will download a Monero (XMR) mining script and start working.

After the mining process has started, the malware will make sure that it keeps going at all times, checking its heartbeat every few minutes in an infinite loop and restarting it whenever needed.

To make things even worse for its victims, the Trojan will also add itself to the machine's Autorun and download a rootkit capable of hiding files anywhere on the system and, more importantly, stealing "user-entered passwords for the su command."

During the final stage of the infection process, the Linux.BtcMine.174 Trojan starts looking around for all the hosts available on the network that the compromised machine's owner has connected to in the past using SSH and tries connecting to and infect each of them.

More details regarding the inner workings of the new Trojan strain targeting Linux systems are available in Dr.Web's virus database, while a full list of all found indicators of compromise is ready for access on GitHub.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Emsisoft Anti-Malware awarded VB100 in June 2022 tests tarekma7 0 575 09-06-2022 , 09:42 AM
Last Post: tarekma7
  ASUS warns of Cyclops Blink malware attacks targeting routers tarekma7 0 1,887 03-19-2022 , 02:40 PM
Last Post: tarekma7
  Are You Cool With Your Antivirus Software Bundling A Crypto Miner? mrtrout 0 572 01-18-2022 , 02:45 AM
Last Post: mrtrout
  Avira Crypto Terms of Service mrtrout 0 611 07-14-2021 , 08:20 AM
Last Post: mrtrout
  COVID-Related Threats, PowerShell Attacks Lead Malware Surge Mohammad.Poorya 0 957 04-15-2021 , 05:33 AM
Last Post: Mohammad.Poorya

Forum Jump:


Users browsing this thread: 1 Guest(s)