Aside from the high profit potential, cryptomining malware is favored by threat actors because of its ability to remain undetected on the system. Windows and macOS have both been targeted by cryptominers, and now it appears that Linux has been targeted as well. Of course, this is not the first case of Linux falling victom to a cryptominer but these infections are not as common.
Trend Micro recently came across a cryptomining malware which they detected as Coinminer.Linux.KORKERDS.AB, or simply KORKERDS.
More about the KORKERDS Miner and Rootkit
The malware is specifically targeting Linux systems, and is notable for being bundled with a rootkit component known as Rootkit.Linux.KORKERDS.AA. The rootkit serves to hide the presence of the malicious processes from monitoring tools, thus evading detections. The only indication of this infection would be the performance issues a compromised machine is experiencing. In terms of the rootkit component, the researchers say that:
While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable.
Coinminer.Linux.KORKERDS.AB is also using obfuscation and packing, and is also capable of updating and upgrading itself as well as its configuration file.
It should be noted that the permission model in Unix and Unix-like operating systems like Linux make it more complex to run executables with privileges. Because of this, the researchers believe that the cryptominer’s infection vector is a malicious, third-party plugin which may have been compromised.
Installing such a plugin requires granting it admin rights, and in the case of compromised applications, malware can run with the privileges granted to the application, Trend Micro noted. This is not an unusual scenario as other Linux miners have also used it as an entry point.
Trend Micro’s report contains a full technical disclosure regarding KORKERDS’s infection, including file names, processes and file hashes that may be useful to Linux users that want to track down the miner and reverse the infected system.
How to Improve Linux Security against Malware Infections: Tips
It should be noted that, due their ubiquity in running and maintaining business processes such as servers, workstations, application development frameworks, cryptocurrening miners can cause significant performance issues on Linux systems. In that regard, security researchers share some practices that should be considered by IT and system administrators:
- Disabling, removing or minimizing the use of unverified libraries or repositories to enforce the principle of least privilege;
- Hardening the systems by using verified security extensions to deal with misconfigurations;
- Reducing the system’s attack surface through access control policies that manage access to files and system or network resources;
- Regular monitoring of systems and networks for anomalous activities;
- Regularly patching the systems to prevent vulnerabilities from being exploited;
- Using updated versions of server-based applications to minimize the risk of compromises;
- And finally, employing security mechanisms such as intrusion detection and prevention systems.