New Linux Malware Hunts Its Predecessor to Mine Cryptonight

Delaware, USA – February 12, 2019 – A new round of evolution of coinmining infections on Linux systems. In the second half of 2018, attacks on Linux servers became more frequent: in September, cross-platform malware XBash started its attacks on Windows and Linux servers, and in less than two months, adversaries began the active distribution of the KORKERDS coinminer, which installs the rootkit on an infected server. Both malware strains continue to change and effectively attack servers through known vulnerabilities, and their followers are already emerging, ready to kill their predecessors in order to use the full power of the CPU to mine Cryptonight currency. Trend Micro researchers discovered a new threat based on the KORKERDS attacking IoT devices and Linux servers. Malware almost completely copies the KORKERDS code, but instead of installing the rootkit and removing antivirus solutions, it searches for and deletes its predecessors. For the mining of Cryptonight, new malware uses modified XMR-Stak, which allows attackers to get profit from a more significant number of systems.

The source code KORKERDS is publicly available, so the emergence of a new generation of coinminers based on it is only a matter of time, and the war for CPU resources between botnets is quite possible. Since adversaries exploit known vulnerabilities during such attacks, installing available updates will be good protection. You can also use the Web Application Security Framework rule pack to promptly detect such attacks and proactively respond to them: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight