Linux Cryptominer Trojan Hiding Within an Image File



Because of the cryptocurrency market’s significant growth in the past couple of years, everyone wants a piece of that pie. Ransomare is still the most popular way for cybercriminals to generate that cryptocurrency income, but these days it seems that everything from personal computers to mobile devices and servers are all being targeted as possible hosts for secretly mining cryptocurrency. This week the SonicWall Capture Labs Threat Research Team has received reports of a malware purporting to be an image file but drops a cryptominer for Linux.

Infection cycle:

At first look, this file appears to be harmless. It displays this image when executed:

And also has a standard header for a PNG file:

Upon more thorough inspection, towards the end of that PNG format we find a standard file format for an executable file – ELF.

Extracting this executable file we find that it is a XMRig Monero cryptocurrency miner.

Its main function is to mine Monero from using this address as shown below.

This type of attack is so prevalent that we have seen a steady increase in detection with this specific Gateway Antivirus signature in the past 40 days.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: CoinMiner.AEO (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.