Cryptocurrency-mining Malware Targets Linux Systems, Uses Rootkit for Stealth

by Augusto II Remillano, Kiyoshi Obuchi, and Arvin Roi Macaraeg

With the popularity of cryptocurrencies, it is no surprise that cybercriminals continue to develop and fine-tune various cryptocurrency-mining malware. Indeed, this kind of threat is one of Trend Micro's most consistently detected malware, affecting a wide range of platforms and devices.

We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems. It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.

Interestingly, the permission model in Unix and Unix-like operating systems like Linux make it tricky to run executables with privileges. We construe that this cryptocurrency-mining malware’s infection vector is a malicious, third-party/unofficial or compromised plugin (i.e., media-streaming software). Installing one entails granting it admin rights, and in the case of compromised applications, malware can run with the privileges granted to the application. It’s not an uncommon vector, as other Linux cryptocurrency-mining malware tools have also used this as an entry point.

Figure 1: The cryptocurrency-mining malware’s infection chain

Technical analysis

The initial file (Trojan.Linux.DLOADER.THAOOAAK) connects and downloads a file from Pastebin. The downloaded file, which is a shell script, is saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. Lastly, the downloaded shell script is executed. /bin/httpdns contains a shell script that connects and downloads another base64-encoded text file. After decoding, the resulting file is also a shell script that is executed by /bin/httpdns.

Figure 2: How the shell script is downloaded and saved

Once executed, the shell script first checks whether there is an update available for the malware. As of this writing, the link contains the string “noupdate,” indicating that there are currently no updates for the malware. If there is an update available, the shell script will then call its echocron function responsible for downloading and scheduling a task that will execute the malware update.

If there are no updates available, the shell script will then proceed to its routine by first calling its downloadrun function (shown in Figure 4), which downloads the actual malicious cryptocurrency miner. Although the extension of the URL it connects to is .jpg, the actual file is an ELF executable; it is saved as /tmp/kworkerds. 

After downloading and executing the cryptocurrency-mining malware, the shell script then calls its init function, which downloads a version of the initial file. The downloaded file is saved as /usr/sbin/netdns and then installed as a service. Afterwards, the echocron function is called.

The shell script will sleep for 10 seconds then check whether a connection was made on port 56415. If there were no connections, it will execute its downloadrunxm function. This function is responsible for downloading another cryptocurrency miner (Coinminer.Linux.KORKERDS.AA) in case the one downloaded by the downloadrun function didn’t work properly.

Figure 5: The malware’s top function

Installing the rootkit component 

The updated version of the malware has the top function, which is responsible for downloading and installing the rootkit. It first checks whether there is already a rootkit installed in the affected machine. If it fails to find one, it will download and install its rootkit and then save it as /usr/local/lib/libdns.so. 

Typically, process monitoring tools can detect the presence of a cryptocurrency miner. Figure 6 shows an image of the htop (a process viewer/monitoring tool for Unix systems) detecting /tmp/kworkerds using up the resources of the affected machine. As shown in Figure 6, the rootkit component hides the process causing the high consumption of resources even if it’s detecting that the CPU usage of the affected system is at maximum. 

The rootkit component of the cryptocurrency-mining malware is a slightly modified/repurposed version of a publicly available code. Upon installation, all processes named “kworkerds” will be invisible to process monitoring tools. These tools normally work by accessing the files located in the /proc/{PID} directories. By blocking access to a process’ /proc/{PID} directory, users won’t be able to detect it through normal means.

To that end, the rootkit hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library. These APIs are commonly used by process monitoring tools to get its information. Through preloading (storing files in the memory), the rootkit will override the normal library file by replacing the normal readdir file with the rootkit’s own version of readdir (Figure 7). Once the API is hooked, process monitoring tools won’t be able to see processes with the name “kworkerds”.

Best practices and Trend Micro solutions

While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. 

Cryptocurrency-mining malware can cause significant performance issues, especially on Linux systems, given their ubiquity in running and maintaining business processes — from servers, workstations, application development frameworks, and databases to mobile devices. IT and system administrators should practice security hygiene, which includes:

• Enforcing the principle of least privilege by disabling, removing, or minimizing the use of unverified libraries or repositories.
• Hardening the systems by using verified security extensions that can help with issues like misconfigurations.
• Reducing the system’s attack surface through access control policies that manage access to files and system or network resources; and regular monitoring of systems and networks for anomalous activities.
• Regularly patching the systems to prevent vulnerabilities from being exploited; use updated versions of server-based applications to lessen the risk of compromises; and employing security mechanisms such as intrusion detection and prevention systems. 

Users and businesses can also consider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs):

Related hashes (SHA-256):

• cdd921a5de5d5fffc51f8c9140afa9d23f3736e591fce3f2a1b959d02ab4275e (Trojan.Linux.DLOADER.THAOOAAK)
• baf93d22c9d1ae6954942704928aeeacbf55f22c800501abcdbacfbb3b2ddedf (Coinminer.Linux.KORKERDS.AB)
• 0179fd8449095ac2968d50c23d37f11498cc7b5b66b94c03b7671109f78e5772 (Coinminer.Linux.KORKERDS.AA)
• 023c1094fb0e46d13e4b1f81f1b80354daa0762640cb73b5fdf5d35fcc697960 (Rootkit.Linux.KORKERDS.AA)

Related malicious URL:

• hxxps://monero[.]minerxmr[.]ru/1/1535595427x-1404817712[.]jpg