Cryptocurrency Miners Start to Use Rootkit

Delaware, USA – November 12, 2018 — Adversaries improved one of the variants of Linux cryptocurrency-mining malware, and now it uses the rootkit to hide its activities. Trend Micro researchers discovered a new sample that uses a rootkit component to hide the malicious process’ presence from monitoring tools. This greatly complicates the determination of the causes of performance issues, in addition, the new cryptominer can update itself and change its configuration files. Malware is distributed along with some compromised plug-ins. The ELF file downloads from Pastebin and runs a shell script, which in turn downloads and runs the next stage script to install cryptocurrency mining malware and rootkit. After being installed as a service, the malware checks whether the coinmining component works correctly, and downloads and reinstalls it in case of incorrect operation. Coinminer downloads and installs a rootkit component to hide the process causing the high consumption of resources.

Cryptocurrency miners for Windows also are not at a stop. Adversaries distribute a new version of Coinminer via malicious MSI files, which allows them to bypass some of the security filters. The installer also contains scripts to block anti-malware protection. Despite the fact that only a few malware samples are profitable, attackers continue to improve their tools. Web Mining Detector for ArcSight enables detection of connections to popular cryptocurrency mining platforms determining possible performance issues on certain assets: