Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

new machines crypto other miner miners kills linux attacks malware

mrtroutNew Crypto-Miner Attacks Linux Machines, Kills Other Miners and Anti-Malware
#1         New Crypto-Miner Attacks Linux Machines, Kills Other Miners and Anti-Malware

Self-propagates to other network devices using SSH
Nov 23, 2018 21:44 GMT  ·  By Sergiu Gatlan        The Russian Dr.Web anti-malware maker discovered a new Linux threat embodied by a Trojan designed to work as a crypto-miner and as a dropper for some other nasty malware payloads such as DDoS backdoors and rootkits.

The new Trojan strain named Linux.BtcMine.174 by the Dr.Web team is a heavy 1,000-line shell script which comes with multiple modules that it will download and write to any folder with write permissions on the infiltrated Linux box.

Once it has managed to dump the extra malware payloads on the compromised machine, Linux.BtcMine.174 will use the nohup POSIX utility to launch itself as a daemon, redirecting its output to a nohup.out file to make detection more difficult.

After installing itself as a service, the Trojan downloads a Linux.BackDoor.Gates.9 Trojan payload that makes it possible for its masters to control the compromised machine and use it to execute DDoS attacks.

Because after compromising its Linux targets the Trojan is running under the privileges of the current user, almost never an administrator account, Linux.BtcMine.174 uses exploits such as Linux.Exploit.CVE-2016-5195 (known as DirtyCow) and Linux.Exploit.CVE-2013-2094 to escalate its privileges and completely take over the Linux machine.

As soon as it gets root privileges on the infected device, starts hunting for any AntiMalware solutions, killing their processes when found and going even further by completely uninstalling them using a package manager.

Linux.BtcMine.174 also steals root passwords and auto-propagates itself via SSH
The Trojan will also hunt down any crypto miners it can find running on the machine, terminating their processes on sight to avoid sharing the system's computing resources. Once it's done "cleaning" the device of any mining competitors, Linux.BtcMine.174 will download a Monero (XMR) mining script and start working.

After the mining process has started, the malware will make sure that it keeps going at all times, checking its heartbeat every few minutes in an infinite loop and restarting it whenever needed.

To make things even worse for its victims, the Trojan will also add itself to the machine's Autorun and download a rootkit capable of hiding files anywhere on the system and, more importantly, stealing "user-entered passwords for the su command."

During the final stage of the infection process, the Linux.BtcMine.174 Trojan starts looking around for all the hosts available on the network that the compromised machine's owner has connected to in the past using SSH and tries connecting to and infect each of them.

More details regarding the inner workings of the new Trojan strain targeting Linux systems are available in Dr.Web's virus database, while a full list of all found indicators of compromise is ready for access on GitHub.

Possibly Related Threads…
Thread Author Replies Views Last Post
  Indian enterprises faced 14.6 crore malware attacks in 2019 dhruv2193 0 112 01-12-2020 , 09:42 AM
Last Post: dhruv2193
  Fifteen year old malware still being used in phishing attacks dhruv2193 0 314 07-28-2019 , 06:31 AM
Last Post: dhruv2193
  Shamoon Malware: A brief understanding of the data-wiping malware’s attacks LowcyGier 0 321 01-20-2019 , 06:06 AM
Last Post: LowcyGier
  What’s the difference between antivirus and anti-malware? Mohammad.Poorya 4 724 12-29-2018 , 12:38 PM
Last Post: Stephen
  ESET discovers 21 new Linux malware families mrtrout 0 258 12-07-2018 , 06:02 AM
Last Post: mrtrout

Forum Jump:

Users browsing this thread: 1 Guest(s)