Cryptomining trojan targeting Linux platforms seen in the wild


This week, the Sonicwall Capture Labs team came across another cryptominer that targets the Linux platform. This Trojan arrives armed with functionalities to ensure successful infection including using rootkit and known Linux exploits.

Infection Cycle

This Trojan comes as a bash file with over 800 lines of codes. Its main function is to mine cryptocurrency using the Stratum mining protocol and cryptonight algorithm on pools such as,,,, and To gain root access and basically full control of the victim machine it uses BRootkit, leverages a vulnerability –  CVE-2016-5195 and uses BillGates Linux malware.

The script consists of the following sub functions:

  • BasicInit – to check connectivity, ping the remote host ( or 90.140.35) and check the platform type by checking the “issue” file to identify whether it is CentOS, Ubuntu or Debian.
  • RunInBack – to get root access it will download another component that uses a known exploit called Dirty Cow (CVE-2016-5195) – a privilege escalation vulnerability in the Linux kernel.
  • WorkProc – main mining function
  • Dandelion – it tries to infect other systems by looking at
  • Scavenger – it kills services and uninstalls the following: safedog, aegis, yunsuo, clamd, Avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.
  • SetStartup – downloads the nohup utility if not present and add itself as a local daemon in
  • Rootkit – it downloads and runs a rootkit called BRootkit (available here) whose functionalities include getting root access, hiding processes, directories and network connections among many others.
  • GetRootAccess – more functionalities to get root access using DirtyCow exploit
  • Checkupdate – check for the most current version on the remote host
  • Guard – Downloads another known linux Trojan called BillGates. It uses its functionality “CleartheGates” opening ports and services and nearly taking full control over the infected system.

This malware author clearly took the time to guarantee persistence and successful infection.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.LNX (Trojan)
  • GAV: Billgates.ELF (Trojan)
  • GAV: CVE-2016-5195.DC (Exploit)
  • GAV: BRootkit.LNX (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.