Coinminer.Linux.KORKERDS.AB that affects Linux systems. It’s bundled with a rootkit component that hides its malicious process from detection tools. It has a capability that allows it to update and upgrade itself along with its configuration file. It is currently unknown what software installs the miner, however it is believed to be a compromised plugin or unofficial media streaming software. When first installed, the executable downloads and executes a series of shell scripts which will install the miner and rootkit. The miner is installed to /tmp/kworkerds and executed. When the rootkit is not installed, the kworkerds uses 100% of the CPU. When the rootkit is installed, the process causing the CPU usage to spike is not visible even though the total system utilization is still displayed as 100%.
Using Microsoft Sentinel to Detect Confluence CVE-2022-26134 Exploitation
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is