With the growing popularity of cryptocurrencies, the number of malware pieces that are called cryptojackers also grows infecting more and more victims. Cryptojackers are hidden cryptocurrency miners that are secretly installed on computers. They use computer resources to mine coins thus earning money for cybercrooks. These viruses are also called cryptominers.
One of the problems with cryptojackers is that their harmful activities can be easily detected due to the intensive use of the CPU. In order to complicate the detection of the rogue process running in the background (and which uses plenty of processor power) a new cryptojacker variant tries to hide its presence with the help of a rootkit. For now, only Lunux systems are targeted by this malware.
As computer security company called TrendMicro reports, this new combination of a rootkit and crypotminer still influences the processor performance and slows it down. However, system administrators cannot determine which exactly process is causing this activity.
Trend Micro is famous for its antivirus software. Company regularly reports on new types of malware. This time they say that the cryptojacker called Coinminer.Linux.KORKERDS.AB goes bundled with the rootkit called Rootkit.Linux.KORKERDS.AA. The new combo-malware is capable of upgrading and updating itself as well as its configuration file on the fly by communicating with the remote server controlled by the cybercrooks.
Although it is not 100% known how hackers spread and install the malware in question, TrendMicro suspects it to be a hacked or unofficial media-streaming plug-in. During the installation of this malicious plug-in, an executable file will download a series of shell scripts that eventually set the miner, and after it – the rootkit to hide the presence of a cryptojacker.
The malware variant discovered by TrendMicro gets installed into the temp folder (as many other malware pieces prefer to do). This time it is installed to /tmp/kworkerds. If by some reason the rootkit component fails to install, victims may easily spot that the kworkerds process uses almost 100% CPU. If the rootkit is there, the process causing high processor load – cannot be visually detected although the overall system load remains 100%.
From the above example, you can see that using a rootkit to conceal a cryptojacker can be very effective and prevent quick malware detection and removal. Sad but system administrators and ordinary users may appear in horrible situation trying to understand why their PCs use CPU so intensively.
Crypto-mining viruses, especially on Linux systems, may cause serious performance problems. It is a huge problem considering the ubiquity of Linux in running various business processes on workstations, servers, application development frameworks, and mobile devices.
IT departments and ordinary users may try to protect their equipment by following simple safety rules outlined below:
- Ensure compliance with the principle of least privilege.
- Disable and remove un-verified repositories and\or libraries.
- Strengthen systems with proven security tools that will help to solve the problems of inappropriate configuration.
- Reduce the attack surface by evaluating and tweaking control policies that manage access to system and network resources.
- Regularly monitor systems for abnormal activity.
- Patch systems regularly in order to prevent exploitation of vulnerabilities.
- Update all server applications thus reducing the risk of compromise.
- Follow current VPN deals and IDM systems deals and introduce them on your computer systems.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.