search

Coinminer.Linux.MALXMR.UWEKT

June 05, 2020
 Analysis by: Bren Matthew Ebriega
 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Coinminer

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

  TECHNICAL DETAILS

File Size:

3,672,976 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

05 Jun 2020

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Coinminer requires the following additional components to properly run:

  • {Coinminer Directory}\config.json

It does the following:

  • Accepts the following Parameters:
    • -b, --bind=ADDR bind to specified address, example "0.0.0.0:3333"
    • -a, --algo=ALGO mining algorithm https://xmrig.com/docs/algorithms
    • --coin=COIN specify coin instead of algorithm
    • -m, --mode=MODE proxy mode, nicehash (default) or simple
    • -o, --url=URL URL of mining server
    • -O, --userpass=U:P username:password pair for mining server
    • -u, --user=USERNAME username for mining server
    • -p, --pass=PASSWORD password for mining server
    • --encin encin
    • --encout encout
    • --rig-id=ID rig identifier for pool-side statistics (needs pool support)
    • --tls-fingerprint=F pool TLS certificate fingerprint, if set enable strict certificate pinning
    • -k, --keepalive prevent timeout (needs pool support)
    • -r, --retries=N number of times to retry before switch to backup server (default: 1)
    • -R, --retry-pause=N time to pause between retries (default: 1 second)
    • --custom-diff=N override pool diff
    • --reuse-timeout=N timeout in seconds for reuse pool connections in simple mode
    • --verbose verbose output
    • --user-agent=AGENT set custom user-agent string for pool
    • --no-color disable colored output
    • --no-workers disable per worker statistics
    • --variant algorithm PoW variant
    • --donate-level=N donate level, default 2%%
    • -B, --background run the miner in the background
    • -c, --config=FILE load a JSON-format configuration file
    • -l, --log-file=FILE log all output to a file
    • -S, --syslog use system log for output messages
    • -A --access-log-file=N log all workers access to a file
    • --access-password=P set password to restrict connections to the proxy
    • --no-algo-ext disable "algo" protocol extension
    • --api-worker-id=ID custom worker-id (instance name) for API
    • --api-id=ID custom instance ID for API
    • --http-enabled enable HTTP API
    • --http-host=HOST bind host for HTTP API (by default 127.0.0.1)
    • --http-port=N bind port for HTTP API
    • --http-access-token=T access token for HTTP API
    • --http-no-restricted enable full remote access to HTTP API (only if access token set)
    • --tls enable SSL/TLS support for pool connection (needs pool support)
    • --tls-bind=ADDR bind to specified address with enabled TLS
    • --tls-cert=FILE load TLS certificate chain from a file in the PEM format
    • --tls-cert-key=FILE load TLS certificate private key from a file in the PEM format
    • --tls-dhparam=FILE load DH parameters for DHE ciphers from a file in the PEM format
    • --tls-protocols=N enable specified TLS protocols, example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
    • --tls-ciphers=S set list of available ciphers (TLSv1.2 and below)
    • --tls-ciphersuites=S set list of available TLSv1.3 ciphersuites
    • -h, --help display this help and exit
    • -V, --version output version information and exit
  • Supported algo options:
    • cryptonight/0
    • cryptonight
    • cryptonight/1
    • cryptonight/2
    • cryptonight-monerov7
    • cryptonight-monerov8
    • cryptonight/r
    • cryptonight/fast
    • cryptonight/msr
    • cryptonight/half
    • cryptonight/xao
    • cryptonight_alloy,
    • cryptonight/rto
    • cryptonight/rwz
    • cryptonight/zls
    • cryptonight/double
    • cryptonight/gpu
    • cryptonight-lite/0
    • cryptonight-lite/1
    • cryptonight-lite
    • cryptonight-light
    • cryptonight_lite
    • cryptonight-aeonv7
    • cryptonight_lite_v7
    • cryptonight-heavy/0
    • cryptonight-heavy
    • cryptonight_heavy
    • cryptonight-heavy/xhv
    • cryptonight_haven
    • cryptonight-heavy/tube
    • cryptonight-bittube2
    • cryptonight-pico
    • cryptonight-pico/trtl
    • cryptonight-turtle
    • cryptonight-ultralite
    • cryptonight_turtle
    • randomx/test
    • RandomX
    • RandomWOW
    • RandomXL
    • randomx/arq
    • RandomARQ
    • randomx/loki
    • randomx/wow
    • randomx/0
    • argon2/chukwa
    • argon2/wrkz
  • Supported coin options:
    • monero
    • arqma

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.912.05

FIRST VSAPI PATTERN DATE:

05 Jun 2020

VSAPI OPR PATTERN File:

15.913.00

VSAPI OPR PATTERN Date:

06 Jun 2020

Scan your computer with your Trend Micro product to delete files detected as Coinminer.Linux.MALXMR.UWEKT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.