Cryptojackers Come to Linux with a Brand-New Stealth-Like Crypto Mining Malware

Trend Micro experts discovered atypical cryptocurrency mining malware for Linux systems.

Linux users are not immune from stealth cryptocurrency mining, also called cryptojacking, anymore. Japanese cryptosecurity company Trend Micro discovered that a cryptocurrency miner known as KORKERDS behaves in a strange way, with the potential to hide its activity from Linux users.

Trend Micro posted information on its website that the route of infection is yet to be investigated. However, the mining malware might get installed onto the victim's computer through a compromised plugin or software download.

The cryptocurrency miner is focused on Monero (XMR) coins. Trend Micro labeled it as Coinminer.Linux.KORKERDS.AB, noting that it can be bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) to hide the mining activity from system monitors.

"This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file," the company explains.

It is worth noting that Unix-based operating systems, including Mac OS and Linux, are considered to be highly secure as it is difficult to run executable files with privileges without explicit user consent. It seems that this malicious cryptocurrency mining software is embedded in a third-party or compromised plugin. A user grants it administrator rights upon installation, which results in the malware getting a free hand to do its dirty tricks.

Trend Micro emphasizes that this is a usual entry point used by hackers to install viruses and other malware tools to Unix-based operating systems.

How it works

Once the stealth miner starts mining coins, processor utilization spikes to 100%, slowing down users computer performance significantly. However, it is often hard to find the cause of the problem as the rootkit bundled with the malware uses hooks for API readdir and readdir64, as well as libc libraries. It means that the standard library file is overwritten, while readdir is replaced with a fake one.

The researchers say that the new malware is equally dangerous for servers and individual Linux users.

In May, we reported that Mac OS users were also vulnerable to cryptojacking.

Reading now