A new coinminer malware strain which targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner has been observed while searching for and killing other Linux malware and coin miners present on the compromised machine.
While cryptocurrency mining programs are not malicious tools on their own, they are seen as malware when used by threat actors to surreptitiously mine for cryptocoins by stealing processing resources from unaware victims.
In this case, a malicious coinminer script was detected by Trend Micro's Augusto Remillano II and Jakub Urbanec on one of their honeypots and, according to their analysis, it is sharing some code parts with the
Xbash malware and it is very closely related to the
KORKERDS cryptocurrency miner known for hiding with the help of a rootkit.
This KORKERDS variant does not use rootkits to conceal itself, but, instead, it downloads a universal Stratum XMR-Stak pool miner which uses the system's CPU or GPU to mine
Cryptonight currencies.
