A new security report reveals that a dangerous new Linux Trojan has been found to infect computers worldwide. It is categorized as a hybrid threat as it encompasses attack scenarios of several types of infections. The attacks are found to take advantage of two vulnerabilities: CVE-2016-5195 and CVE-2013-2094.
The Linux.BtcMine.174 Trojan Exploits Both CVE-2013-2094 and CVE-2016-5195
Linux Trojans continue to emerge as they have been found to be particularly effective against mass-deployed workstations and servers on targeted networks. A particularly dangerous infection has recently been reported to infect networks worldwide.. It has been assigned the generic identified of Linux.BtcMine.174. The Trojan itself is a collection of commands contained within a shell script containing over 1,000 lines of code. The infections start with a script that searches for a location on the local hard drive which has write permissions. There it will copy itself and launch the rest of the modules.
It is being spread by using two exploits:
- CVE-2016-5195 — This is the famous collection of exploits known as “Dirty Cow” which targets Linux and Android devices. It was fixed by Google in theDecember 2016 update bulletin. This is a kernel vulnerability which takes advantage of a race condition that allows malicious code to gain write-access to read-only memory. Unpatched systems can easily be compromised with the virus code.
- CVE-2013-2094 — This bug exploits a vulnerability in the Linux Kernel which allows local users to gain privileges to the system.
Once impacted the malware code will set itself as a local daemon which will trigger the download of the infection engine. The Linux Trojan will proceed with the launch of the built-in configuration associated with each campaign. This means that every single attack might produce a different behavior and resulting impact. The captured samples so far start a cryptocurrency mining instance. Before launching itself it will scan the memory and hard drive contents for other miners. This is done in order to maximize the income generation for the hacker operators. The current campaign loads a Monero-based miner.
The Linux.BtcMine.174 Hybrid Linux Trojan Continues Further
After the threat has been implanted onto the target system the acquired Linux.BtcMine.174 samples have been found to download another malware called the Bill Gates Trojan. This is a sophisticated DDoS (distributed denial-of-service) virus that also allows the hacker operators to take over control of the infected hosts.
An associated security bypass is done as well — it will scam for processes running in memory that are associated with Linux-based anti-virus products. If such are found they are going to be killed instantly to avoid detection. Following it the Trojan will set itself as a daemon and install a rootkit module. It superseeds the Trojan’s operations by being able to steal user-entered passwords and hide itself deep in the system.
The analysis of Linux.BtcMine.174 shows that a separate function is installed which will harvest credentials information, in this particular case a list of all remote servers and credentials. This allows the hacker operators to hijack the required strings and be able to connect to these machines. This allows for automated infection of whole networks of computers.
It is believed that this mechanism is the main distribution channel. Active infections can be difficult to spot as they are no different than regular remote connections initiated by users. The checksums for the detected Trojan files have been published on GitHub. This allows system administrators to scan their systems and identify if they have been infected.