A new coinminer malware strain which targets the Linux platform and installs the XMR-Stak*Cryptonight cryptocurrency miner has been observed while searching for*and killing other Linux malware and coin miners present on the compromised machine.
While cryptocurrency*mining programs are not malicious tools on their own, they are seen as malware when used by threat actors to surreptitiously mine for cryptocoins*by stealing processing resources from unaware victims.
In this case, a malicious coinminer*script was detected by Trend Micro's*Augusto Remillano II and Jakub Urbanec*on one of their honeypots and, according to their analysis, it is sharing some code parts with the Xbash*malware and it is very closely related to the*KORKERDS cryptocurrency miner known for*hiding with the help of a rootkit.
This KORKERDS variant does not use rootkits to conceal itself, but, instead, it downloads a*universal Stratum*XMR-Stak*pool miner which uses the system's*CPU or GPU to mine Cryptonight currencies.
Killing previously installed malware
The initial script will download a*crontab file as part of the first infection stage which will be used to launch the next stage consisting of three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.


In this stage, the malware will also make sure to clear system logs to erase its traces, and will also achieve persistence avoiding removal after reboots or deletion with the help of the implanted crontab*files.
As discovered by Trend Micro's research team, the second stage of the infection originates from multiple IP cameras and web services via the TCP port 8161, from domains where the attackers have stored the crontab*file which launches the main stage of the malware attack.
Linux malware and coinminers*on the rise

The main difference between how this malware and KORKERDS work is that "the new script inserts just one crontab that fetches all the code and the miner" while KORKERDS saves its crontab*directly.
A full list of indicators of compromise is provided by the Trend Micro research team at the end of their analysis of the new malicious coinminer*sample.
The Linux platform is getting more and more attention from threat actors, and Check Point proved when they found a new*Backdoor Trojan they dubbed SpeakUp which is currently targeting servers running six different Linux distributions by exploiting multiple known*security vulnerabilities and evading all*anti-malware solutions in the process.
Additionally, cryptocurrency*mining malware has impacted*ten times more organizations*than ransomware did while and more and more malware families have begun to mix in new capabilities targeting cryptocurrency*within their arsenal during 2018, according to a*Check Point Research report.