A recently observed coin miner targeting Linux machines can remove a broad range of other malware families from infected systems, according to researchers from Trend Micro.
The threat, which borrows code from previously seen malware, such as Xbash and KORKERDS, installs crypto-currency mining code onto the victim machine, and achieves persistence through implanting itself into the system and crontabs.
As part of the attack, an initial script is served to the intended target to delete a number of known Linux malware, coin miners, and connections to other miner services and ports, and then download the mining binary.
The script is similar to code of the KORKERDS miner observed in November 2018, but it doesn’t target security products present on the system. Instead, it targets the KORKERDS miner and the rootkit component, deleting the components of the very malware it copied code from.
The script also downloads a modified version of the crypto-currency mining malware XMR-Stak, a universal Stratum pool miner capable of leveraging both CPU and GPU power to mine for Cryptonight currencies.
The infection, Trend Micro’s researchers say, started from some IP cameras and web services via TCP port 8161, where the attacker tries to upload a crontab file that downloads and runs a shell script as a JPG image.
The script then kills previously installed malware, coin miners, and all related services referenced to an accompanying malware, and also creates new directories, files, and stop processes with connections to identified IP addresses.
Next, the script downloads the coin miner binary and another script, and then creates a new crontab to call the script at 1 a.m. It also downloads the shell script itself (the JPG file) and puts it in different crontabs.
The code for downloading and executing the payload was mostly taken from the KORKERDS script, but the routine is simplified.
While this is not the first malware family to attempt to remove other malware from the infected machines, it appears to be the first to attempt to remove Linux threats at this scale, the security researchers say.
“Removing competing malware is just one way cybercriminals are maximizing their profit,” Trend Micro points out.
