Threat Watch

Linux CryptoMiners Use Rootkits to Remain Hidden

Coinminer.Linux.KORKERDS.AB that affects Linux systems. It’s bundled with a rootkit component that hides its malicious process from detection tools. It has a capability that allows it to update and upgrade itself along with its configuration file. It is currently unknown what software installs the miner, however it is believed to be a compromised plugin or unofficial media streaming software. When first installed, the executable downloads and executes a series of shell scripts which will install the miner and rootkit. The miner is installed to /tmp/kworkerds and executed. When the rootkit is not installed, the kworkerds uses 100% of the CPU. When the rootkit is installed, the process causing the CPU usage to spike is not visible even though the total system utilization is still displayed as 100%.

ANALYST NOTES

To prevent infection of the rootkit, users can enforce the principle of least privilege. This can be done by removing, disabling, or minimizing the usage of unverified libraries or repositories or running applications through unprivileged user accounts when possible. Users can also reduce chances of successful attacks with access control policies that manage files and systems along with network resources. When made available, users should patch systems in order to prevent vulnerabilities from being exploited. It is important to use the most up-to-date version of server-based applications.