Monero miner obfuscates himself from most monitoring tools

Nov 9, 2018 18:55 GMT  ·  By

A new cryptocurrency mining malware strain targeting Linux computers and capable of obfuscating itself from both the user and process monitoring tools using a rootkit has been discovered by a team of Trend Micro security researchers.

Because there is no apparent way through which the cryptomining malware manages to compromise and infect the Linux boxes, Trend Micro's researchers think that the bad actors behind this malware strain have been able to compromise a legitimate app and use it to install their malicious tools on targets' computers.

"We construe that this cryptocurrency-mining malware’s infection vector is a malicious, third-party/unofficial or compromised plugin (i.e., media-streaming software)," says Trend Micro's report.

"Installing one entails granting it admin rights, and in the case of compromised applications, malware can run with the privileges granted to the application. It’s not an uncommon vector, as other Linux cryptocurrency-mining malware tools have also used this as an entry point."

Trend Micro named the Monero-mining malware Coinminer.Linux.KORKERDS.AB and the rootkit component it uses to hide as Rootkit.Linux.KORKERDS.AA.

The Monero mining malware hides using a rootkit component but fails to mask the increased resource usage

The coinminer conceals itself in plain sight without the user being able to point out why the Linux-powered machine has performance issues given that most system monitoring tools will say that all running processes are behaving properly, with the "kworkerds" processes the malware spawns being hidden by the rootkit.

This means that while the user will be able to see that the system's CPU usage is going through the roof, he won't be able to pinpoint the responsible process which makes the task of troubleshooting the issue and detecting/removing the malware quite tricky.

"While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools," said Trend Micro. "And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. "

In kind of a coup de grâce dealt to the cryptocurrency mining malware peddlers, Trend Micro unveiled another malicious cryptominer on the same day (detected as Coinminer.Win32.MALXMR.TIAOODAM), which is making the rounds targeting Windows machines using a variety of methods to be as stealthy as possible just like its Linux-focused counterpart.

Photo Gallery (4 Images)

Linux cryptominer malware
Infection chainCryptominer processes not hidden
+1more