Cryptomining is a considerably new malware, which still is being explored by cyber specialists and crooks, unfortunately. These silent crypto viruses make perfect threats because of the sophisticated obfuscation techniques that keep them undetectable, widespread and easy dissemination, and no need for any interaction/initiation from the infected victim. Windows users are used to warnings of new miner strains, for example, MassMiner, JSMiner or XMRig, however, crypto miners is not an often occurrence in Linux users’ routine, until now.
Just a few days ago, Russian anti-spyware company, known as Doctor Web (Dr. Web), Has reported about a new multi-functioning Linux trojan named Linux.BtcMine.174. This sneaky, Monero-mining malware surprised cyber researchers, demonstrating various complex abilities, which were written in a 1000 line code, and what is more impressive, it was designed to work on Linux OS and not the typical Windows.
Despite the generic name, Linux.BtcMine.174, shows some impressive techniques that combine some old and a few new invasion and execution methods. The mining trojan first settles by running the above-mentioned 1000 line script and finding the folder that provides it with write permissions. Here the threat can copy itself and connect with malicious servers to get other modules, which will be necessary for the further processes. It brings the Linux.BackDoor.Gates.9 trojan, which gives all the freedom for hackers to execute their commands and carry out DDoS attacks.
If Linux.BtcMine.174 isn’t launched as root, the invasion is escalated with the help of a different script from the server that runs a plethora of exploits and misuses CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 for a full authorization. Then scripts validate whether or not the trojan is running as root and if so, with the help of package managers it stops and removes Linux antivirus programs’ services, such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord, to avoid any interruption and detection.
After that, the malicious Linux trojan proceeds with adding itself to the Autorun and downloads another rootkit from the server to collect all the passwords that user enters and hide all processes and network connections that would give Linux.BtcMine.174 existence away. Before launching Monero (XMR) miner, the malicious program checks if there are any other cryptocurrency mining applications already installed, and if necessary, replaces them with its own to reach the full potential.
At the moment, it is believed that the crypto miner is spreading mainly via SSH servers and the hosts that were once connected with the infected device, remotely colonizing tons of machines against their will. This is a very unfortunate and dangerous characteristic that would create a lot of damage if the virus would get into the major corporation.
In summary, Linux.BtcMine.174 trojan is capable of installing BillGates malware into Linux devices, mining Monero, detecting and replacing other miners, launching DDoS attacks, gathering victim’s passwords and stopping antivirus processes.
This Linux.BtcMine.174 miner discovery just proved that virtual criminals are rapidly improving and Linux users cannot take their cybersecurity for granted anymore. Just like Windows owners, they should be thinking about the preventative measures, moreover security tools that would help in case the miner successfully overcomes the basic protection. Although this was just one trojan, it is probable that soon we’ll see more threats with even more sophisticated improvements. Hopefully, cybersecurity specialists will manage to keep up with these rapid improvements.