Connect with us

Hi, what are you looking for?



Linux Miner Removes Competing Malware From Infected Systems

A recently observed coin miner targeting Linux machines can remove a broad range of other malware families from infected systems, according to researchers from Trend Micro.

A recently observed coin miner targeting Linux machines can remove a broad range of other malware families from infected systems, according to researchers from Trend Micro.

The threat, which borrows code from previously seen malware, such as Xbash and KORKERDS, installs crypto-currency mining code onto the victim machine, and achieves persistence through implanting itself into the system and crontabs.

As part of the attack, an initial script is served to the intended target to delete a number of known Linux malware, coin miners, and connections to other miner services and ports, and then download the mining binary. 

The script is similar to code of the KORKERDS miner observed in November 2018, but it doesn’t target security products present on the system. Instead, it targets the KORKERDS miner and the rootkit component, deleting the components of the very malware it copied code from. 

The script also downloads a modified version of the crypto-currency mining malware XMR-Stak, a universal Stratum pool miner capable of leveraging both CPU and GPU power to mine for Cryptonight currencies. 

The infection, Trend Micro’s researchers say, started from some IP cameras and web services via TCP port 8161, where the attacker tries to upload a crontab file that downloads and runs a shell script as a JPG image. 

The script then kills previously installed malware, coin miners, and all related services referenced to an accompanying malware, and also creates new directories, files, and stop processes with connections to identified IP addresses.

Advertisement. Scroll to continue reading.

Next, the script downloads the coin miner binary and another script, and then creates a new crontab to call the script at 1 a.m. It also downloads the shell script itself (the JPG file) and puts it in different crontabs. 

The code for downloading and executing the payload was mostly taken from the KORKERDS script, but the routine is simplified. 

While this is not the first malware family to attempt to remove other malware from the infected machines, it appears to be the first to attempt to remove Linux threats at this scale, the security researchers say.

“Removing competing malware is just one way cybercriminals are maximizing their profit,” Trend Micro points out. 

Related: Xbash Malware Uninstalls Cloud Security Products

Related: Microsoft Uncovers Multi-Tier Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...