Monero-Mining Linux Malware Steals Credentials for Lateral Movement

Delaware, USA – November 27, 2018 — Adversaries are perfecting Monero-mining Linux malware, giving it new features to steal credentials and further spread via SSH. Dr.Web researchers have discovered a new complex trojan, which has many malicious features. Malware is a shell script of 1,000+ lines of code which finds a folder on disk to which it has write permissions, copies itself there and later uses it to download other modules. Like other previously discovered Monero-mining Linux malware, this trojan exploits CVE-2016-5195 and CVE-2013-2094 to get root permissions and have full access to the OS. Then it sets itself up as a local daemon, scans and terminates the processes of several rival cryptocurrency-mining malware families, and then downloads and starts its own Monero-mining operation. One of the interesting functions of the Trojan is the ability to find and kill antivirus processes and a function to steal valid SSH credentials, collect information about remote servers the attacked host has connected and to connect to them spreading the infection to as many systems as possible.
The new virus possesses a severe danger to organizations, as it can both paralyze the work of the company, and provide attackers with full access to the organization’s network. You can detect the threat using the indicators of compromise from Dr.Web and Threat Hunting Framework for ArcSight that tracks IP, URL, domains and file hashes across all log sources you have connected to the SIEM: