Posts

Cryptomining trojan targeting Linux platforms seen in the wild

/in /by

This week, the Sonicwall Capture Labs team came across another cryptominer that targets the Linux platform. This Trojan arrives armed with functionalities to ensure successful infection including using rootkit and known Linux exploits.

Infection Cycle

This Trojan comes as a bash file with over 800 lines of codes. Its main function is to mine cryptocurrency using the Stratum mining protocol and cryptonight algorithm on pools such as supportxmr.com, minexmr.com, poolin.com, dwarfpool.com, nanopool.com and f2pool.com. To gain root access and basically full control of the victim machine it uses BRootkit, leverages a vulnerability –  CVE-2016-5195 and uses BillGates Linux malware.

The script consists of the following sub functions:

  • BasicInit – to check connectivity, ping the remote host (auth.to0ls.com or 90.140.35) and check the platform type by checking the “issue” file to identify whether it is CentOS, Ubuntu or Debian.
  • RunInBack – to get root access it will download another component that uses a known exploit called Dirty Cow (CVE-2016-5195) – a privilege escalation vulnerability in the Linux kernel.
  • WorkProc – main mining function
  • Dandelion – it tries to infect other systems by looking at
  • Scavenger – it kills services and uninstalls the following: safedog, aegis, yunsuo, clamd, Avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.
  • SetStartup – downloads the nohup utility if not present and add itself as a local daemon in
  • Rootkit – it downloads and runs a rootkit called BRootkit (available here) whose functionalities include getting root access, hiding processes, directories and network connections among many others.
  • GetRootAccess – more functionalities to get root access using DirtyCow exploit
  • Checkupdate – check for the most current version on the remote host
  • Guard – Downloads another known linux Trojan called BillGates. It uses its functionality “CleartheGates” opening ports and services and nearly taking full control over the infected system.

This malware author clearly took the time to guarantee persistence and successful infection.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.LNX (Trojan)
  • GAV: Billgates.ELF (Trojan)
  • GAV: CVE-2016-5195.DC (Exploit)
  • GAV: BRootkit.LNX (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Linux mining Trojan comes packed with multiple malicious functionalities

/in /by

The SonicWALL Capture Labs team has come across another cryptomining Trojan that is designed to infect Linux machines. The Trojan comes as a shell script with a myriad of functionalities which makes the attack even more potent. At its core, it runs a slew of commands to ensure it will run on the system and carry out its Monero-mining activity uninterrupted.

Infection Cycle:
The Trojan arrives as a bash script. The script starts off with the usual bash shebang followed by an image of Buddha and a reference to a Latin proverb “Audentes fortuna iuvat” before the actual lines of code begin.

The Trojan uses the remote host d4uk.7h4uk.com which has been seen associated with different malwares. The main mining Trojan is an ELF file based on XMRig, a Monero (XMR) CPU miner.

The Trojan checks for existence of known Linux antivirus services such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets and xmirrord. The script then kills these processes and completely removes them from the system using the dpkg utility.

To ensure exclusive use of the CPU resource, it also checks for the existence of other mining utilities and kills these processes.

It downloads a number of component files which in turn uses a privilege escalation vulnerability in Linux known as Dirty Cow (CVE-2016-5195) to provide the Trojan root access privileges.

It downloads several components of a rootkit which is implemented in bash scripts and executes them. This rootkit is called BRootkit which boasts of functionalities such as password stealing, hiding files and directories, can act as a port scanner, downloader and backdoor. This rootkit is available for download on Github.

It also downloads a known DDos botnet called Elknot or BillGates.

It then runs the mining Trojan component while checking for an update from the remote host every now and then.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Linux.Miner (Trojan)
  • GAV: XMRig.XMR_3 (Trojan)
  • GAV: Dirtycow.ED (Trojan)
  • Cloud (Id: 19905906) Elknot.AS (Trojan)