With the popularity of cryptocurrencies, it is no surprise that cybercriminals continue to develop and fine-tune various cryptocurrency-mining malware. Indeed, this kind of threat is one of Trend Micro’s most consistently detected malware, affecting a wide range of platforms and devices.
We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems. It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.
Interestingly, the permission model in Unix and Unix-like operating systems like Linux make it tricky to run executables with privileges. We construe that this cryptocurrency-mining malware’s infection vector is a malicious, third-party/unofficial or compromised plugin (i.e., media-streaming software). Installing one entails granting it admin rights, and in the case of compromised applications, malware can run with the privileges granted to the application. It’s not an uncommon vector, as other Linux cryptocurrency-mining malware tools have also used this as an entry point.