Hackers Mine Monero (XMR) after Breaching Linux Systems in China
A new hacking group is breaking into Linux-based systems in China and using them to mine Monero.
“During our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security and monitoring products from compromised Linux servers… These attacks did not compromise these security products; rather, the attacks first gained full administrative control over the hosts and then abused that [power] to uninstall these products in the same way a legitimate administrator would,” the team wrote.
At least one of the cloud products running on these Linux servers were made by Alibaba Cloud, meaning the hackers appear to be targeting Chinese servers specifically. According to Unit 42, this is the first time it has encountered malware able to remove security products on a remote system in this fashion.
All of this work takes place through a shell script called “a7,” which keeps itself alive through something known in Linux systems as cronjobs, or processes that initiate at specific times. In other words, the malware restarts itself every so often to ensure it is always on.
In addition to this, the script behaves a lot like another piece of malware found early last year, killing off other mining processes before initiating its own. This ensures there is no competition for resources on the victim’s computer.
The hackers managed to create a script that not only gets rid of competitors but also ensures that any future mining malware will not be able to use the default ports to connect to any mining pools. Perhaps the most worrying aspect is that Linux administrators would have trouble finding the process as it hides from the “ps” command.