Coinminer.Linux.MALXMR.UWEKT
Linux
Threat Type: Coinminer
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.
TECHNICAL DETAILS
3,672,976 bytes
ELF
Yes
05 Jun 2020
Arrival Details
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Coinminer requires the following additional components to properly run:
- {Coinminer Directory}\config.json
It does the following:
- Accepts the following Parameters:
- -b, --bind=ADDR bind to specified address, example "0.0.0.0:3333"
- -a, --algo=ALGO mining algorithm https://xmrig.com/docs/algorithms
- --coin=COIN specify coin instead of algorithm
- -m, --mode=MODE proxy mode, nicehash (default) or simple
- -o, --url=URL URL of mining server
- -O, --userpass=U:P username:password pair for mining server
- -u, --user=USERNAME username for mining server
- -p, --pass=PASSWORD password for mining server
- --encin encin
- --encout encout
- --rig-id=ID rig identifier for pool-side statistics (needs pool support)
- --tls-fingerprint=F pool TLS certificate fingerprint, if set enable strict certificate pinning
- -k, --keepalive prevent timeout (needs pool support)
- -r, --retries=N number of times to retry before switch to backup server (default: 1)
- -R, --retry-pause=N time to pause between retries (default: 1 second)
- --custom-diff=N override pool diff
- --reuse-timeout=N timeout in seconds for reuse pool connections in simple mode
- --verbose verbose output
- --user-agent=AGENT set custom user-agent string for pool
- --no-color disable colored output
- --no-workers disable per worker statistics
- --variant algorithm PoW variant
- --donate-level=N donate level, default 2%%
- -B, --background run the miner in the background
- -c, --config=FILE load a JSON-format configuration file
- -l, --log-file=FILE log all output to a file
- -S, --syslog use system log for output messages
- -A --access-log-file=N log all workers access to a file
- --access-password=P set password to restrict connections to the proxy
- --no-algo-ext disable "algo" protocol extension
- --api-worker-id=ID custom worker-id (instance name) for API
- --api-id=ID custom instance ID for API
- --http-enabled enable HTTP API
- --http-host=HOST bind host for HTTP API (by default 127.0.0.1)
- --http-port=N bind port for HTTP API
- --http-access-token=T access token for HTTP API
- --http-no-restricted enable full remote access to HTTP API (only if access token set)
- --tls enable SSL/TLS support for pool connection (needs pool support)
- --tls-bind=ADDR bind to specified address with enabled TLS
- --tls-cert=FILE load TLS certificate chain from a file in the PEM format
- --tls-cert-key=FILE load TLS certificate private key from a file in the PEM format
- --tls-dhparam=FILE load DH parameters for DHE ciphers from a file in the PEM format
- --tls-protocols=N enable specified TLS protocols, example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
- --tls-ciphers=S set list of available ciphers (TLSv1.2 and below)
- --tls-ciphersuites=S set list of available TLSv1.3 ciphersuites
- -h, --help display this help and exit
- -V, --version output version information and exit
- Supported algo options:
- cryptonight/0
- cryptonight
- cryptonight/1
- cryptonight/2
- cryptonight-monerov7
- cryptonight-monerov8
- cryptonight/r
- cryptonight/fast
- cryptonight/msr
- cryptonight/half
- cryptonight/xao
- cryptonight_alloy,
- cryptonight/rto
- cryptonight/rwz
- cryptonight/zls
- cryptonight/double
- cryptonight/gpu
- cryptonight-lite/0
- cryptonight-lite/1
- cryptonight-lite
- cryptonight-light
- cryptonight_lite
- cryptonight-aeonv7
- cryptonight_lite_v7
- cryptonight-heavy/0
- cryptonight-heavy
- cryptonight_heavy
- cryptonight-heavy/xhv
- cryptonight_haven
- cryptonight-heavy/tube
- cryptonight-bittube2
- cryptonight-pico
- cryptonight-pico/trtl
- cryptonight-turtle
- cryptonight-ultralite
- cryptonight_turtle
- randomx/test
- RandomX
- RandomWOW
- RandomXL
- randomx/arq
- RandomARQ
- randomx/loki
- randomx/wow
- randomx/0
- argon2/chukwa
- argon2/wrkz
- Supported coin options:
- monero
- arqma
It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.
SOLUTION
9.850
15.912.05
05 Jun 2020
15.913.00
06 Jun 2020
Scan your computer with your Trend Micro product to delete files detected as Coinminer.Linux.MALXMR.UWEKT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.