Security experts from Russian antivirus firm Dr.Web have discovered a new strain of Linux cryptominer tracked as Linux.BtcMine.174.

The Linux cryptominer has a multicomponent structure that implements a broad range of features in over 1,000 lines of code.

When the Monero Linux cryptominer is first executed it checks whether the server, from which the Trojan will subsequently download additional modules, is available.

Then it finds a folder on disk to which it has write permissions so it can copy itself and use it as a repository for the downloading of additional modules.

The Linux.BtcMine.174 Linux cryptominer uses one of two privilege escalation exploits CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 to get root permissions on the infected system.

The Linux miner also adds itself as an autorun entry to files like /etc/rc.local, /etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.

“If the script is not run with /sbin/init, the following actions are performed:

The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable). The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package). ” Reads the analysis published by Dr. Web.

Once the malware has infected the Linux system, it will scan and terminate the processes of several miners, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.). Experts also discovered that the Trojan also kill antivirus software, including Avast, AVG, Dr.Web and ESET.

Then the Linux.BtcMine.174. downloads and starts its own Monero-mining operation.

Linux.BackDoor.Gates.9 that implements backdoor features and allows to carry out DDoS attacks. The Linux malware also downloads another Trojan, tracked asthat implements backdoor features and allows to carry out DDoS attacks.

Linux.BtcMine.174 also downloads and executes with the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

The Trojan also collects data for all the hosts to which the current user has previously connected via SSH and tries to connect them.

Experts believe the malware is spreading using SSH credentials stolen on the infected systems.

Additional technical details are included in the report published by Dr.Web, the experts also published SHA1 hashes for the various components of the malware on GitHub.

Pierluigi Paganini

(Security Affairs – Linux cryptominer, Linux.BtcMine.174)

Share this...

Linkedin Reddit Pinterest

Share On