Home / Linux / Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Monero Linux

As the popularity of cryptocurrency rises, so does the amount of cryptominer Tojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization.

To make it harder to spot a cryptominer process that is utilizing all of the CPU, a new variant has been discovered for Linux that attempts to hide its presence by utilizing a rootkit.

According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.

“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” stated a report by TrendMicro. “It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”

While it is not known what software is installing this miner, TrendMicro believes it is a unofficial or compromised plugin such as a media-streaming software. When installed, the executable will download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide the miners presence.

Infection Chain
Infection Chain (Source: TrendMicro)

In the variant detected by TrendMicro, the cryptominer will be installed to /tmp/kworkerds and executed. When the rootkit is not installed, you can easily see the kworkerds process utilizing 100% of the CPU.

Htop showing the miner process utilizing 100% of the CPU
Htop showing the miner process utilizing 100% of the CPU

Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.

Miner process hidden by rootkit
Miner process hidden by rootkit

As you can see, utilizing a rootkit to hide a cryptominer can be an effective tool to avoid its removal. Unfortunately, this will also be a nightmare for system administrators and users who cannot figure out why their computer is using so much CPU.

Loading...

>> Source Link

Check Also

An iOS Linux Shell for Your iPhone or iPad

Have you ever wanted to run a Linux shell on your iOS device to transfer …

%d bloggers like this: