Light Dark
February 11, 2019 By David Bisson 2 min read

Security analysts identified a sample of Linux crypto-mining malware that kills any other malicious miners upon installation.

Trend Micro researchers discovered the malware while doing a routine log check after spotting a script within one of their honeypots that began downloading a binary connected to a domain. This binary turned out to be a modified version of the cryptocurrency miner XMR-Stak.

The script didn’t stop at downloading this sample of Linux malware, which Trend Micro detected as Coinminer.Linux.MALXMR.UWEIU. It removed other crypto-mining malware and related services affecting the machine at the time of infection. The malware also created new directories and files and stopped processes that shared connections with known IP addresses.

A Likeness to Other Threats

In their analysis of Coinminer.Linux.MALXMR.UWEIU, Trend Micro found that the malware’s script shares certain attributes with other threats it previously detected. Specifically, researchers observed similarities between this malicious coin miner and Xbash, a malware family discovered by Trend Micro in September 2018 that combines ransomware, cryptocurrency mining, worm and scanner capabilities in its attacks against Linux and Windows servers.

Researchers also noted that the threat’s code is nearly identical to that of KORKERDS, crypto-mining malware Trend Micro uncovered back in November 2018. There are a few differences, however.

The new script simplified the routine by which KORKERDS downloads and executes files and loads the Linux coin malware sample. It also didn’t uninstall security solutions from or install a rootkit on the infected machine. In fact, the script’s kill list targeted both KORKERDS and its rootkit component. This move suggests that those who coded the script are attempting to maximize their profits while competing with the authors of KORKERDS.

Strengthen Your Crypto-Mining Malware Defenses

Security professionals can help defend against Linux crypto-mining malware by using an endpoint management and security platform capable of monitoring endpoints for suspicious behavior. Organizations should also leverage security information and event management (SIEM) tools that can notify security teams of high central processing unit (CPU) and graphics processing unit (GPU) usage — key indicators of cryptocurrency mining activities — during nonbusiness hours.

 |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature