Researchers have discovered a new malware targeting Linux users. The malware, Linux.BtcMine.174, was first seen this month. The Trojan contains a shell script which is made up of over 1,000 lines and once a system is infiltrated, becomes the first script to be run. The malware will first look for a folder on the disk that it has write permissions in order to make a copy of itself to download other modules later. The malware will then exploit CVE-2016-5195 or CVE-2013-2094 (Dirty COW) to gain root permissions and full access to the operating system. It will then set itself up as a local daemon and downloads the nohup utility to accomplish this operation unless the utility is already present. The trojan then moves onto its primary function of cryptomining. It will scan the system to see if there are other cryptominers present. If another miner is present, the malware will terminate the process and start its own Monero operation. The trojan also downloads and runs the Bill.Gates trojan which includes many “backdoor-like” functions. Following this, the malware has the ability to search through Linux-based AV (anti-virus) for process names and terminate them. The names include aegis, avgd, avast, clamd, cmdmgd, drweb-configd, drwev-spider-kmod, esets, safedog, xmirrord, and yunsuo. According to researchers, “the trojan also adds itself as an autorun entry to files like /etc/rc.local, /etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.” The rootkit can also steal passwords for the su command which were entered by the user along with being able to hide files throughout the system. The malware will also run a function that allows it to collect information regarding every remote server the victim has connected to via SSH. Linux.BtcMine.174 will then attempt to connect these machines as well as spread itself to more systems. Researchers believe that the SSH self-spreading mechanism is the primary distribution method for the malware.
Since the malware uses two older well-known exploits, it is important to ensure that users update their systems. For any user that does not update, they will remain at a high risk for an attack.