Linux becomes major cryptomining target

News by Mark Mayne

Not only has cryptojacking hit the big time, but now attackers are moving to target Linux. Crypto-mining malware is becoming a key tactic for cyber-criminals.

Not only has cryptojacking hit the big time, but now attackers are moving to target Linux.

Crypto-mining malware is becoming a key tactic for cyber-criminals, with 98.8 percent of common Linux/Downloader malware variants analysed in the first quarter of 2018 being designed to deliver a Linux-based cryptocurrency miner.

The Linux/Downloader is a generic signature for a range of malicious Linux shell scripts, but in Q1 2018 it has been almost entirely attempting to download and run a Linux-based crypto miner (MD5: 748c0b329ab9cc06e7bbe06822fbe767748).

Another key indicator of the rise of cryptojacking, according to the latest Internet security report from WatchGuard Technologies, is that another cryptominer shows up as the 24th threat on the top 25 malware list.

"Besides these two hidden signs of crypto miners in our Q1 data, we have more up-to-date intelligence suggesting that crypto miners continue to grow in Q2. During early Q2, our daily data shows various "Coin Miners" continually appearing on our top 25 list. While it’s too early to say if they will break the top 10 for Q2, we expect them to continue to grow in popularity over the next few quarters", commented the WatchGuard researchers.

Ed Williams, director EMEA, SpiderLabs at Trustwave told SC Media UK: "It appears that the cryptocurrency miners are hedging their bets, this doesn’t surprise me. There is currently a quest for ‘horsepower’ and Linux servers fit the bill. While Windows based servers are not uncommon, concentrating on Linux based servers in the cloud has a number of potential benefits. The scale of Linux in the enterprise coupled with often poor protective monitoring makes these a target of interest.  AV, as we know, provides little barriers of entry to the determined attacker and this scenario is no different. Mitigation is key, and this can be done through better protective monitoring, which can be leveraged through the cloud."

Joseph Carson, chief security scientist at Thycotic told SC Media UK that mitigation could have wider impacts than simply preventing criminal activity: "Cryptocurrencies have had a tough year with billions lost in value and increased costs to cryptominers. To help reduce the cost to crypto miners and keep the value of the cryptocurrencies high by using currency and crypto exchange manipulation, cybercriminals have accelerated the use of Linux Malware to do the work for them. The potential result of more secure systems could drive the fall of Bitcoin and other similar cryptocurrencies that fail to scale."

The WatchGuard report also noted that scripting attacks continue to drop, only

accounting for 30.3 percent of top malware, but with a real focus on EMEA, which was hit by 54 percent of all scripting attacks. In other news, zero day threats continue to be a significant burden for enterprise, comprising 45.9 percent of all malware detected, or in other words, basic signature-based AV tools caught 54.1 percent of all malware, creating a pressing need for advanced malware detection tools and techniques.

The Ramnit Trojan also reappeared for the first time since 2016 in a targeted EU campaign, with 98.9 percent of detections in Q1 being from Italy alone.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews