New cryptomining malware removes other malware from Linux, then latches onto systems

• A script capable of deleting known Linux malware and coin mining software in systems has been discovered by Trend Micro.
• It then downloads a cryptocurrency-mining malware as well as install itself into these systems to evade detection.

Recently, cybersecurity firm Trend Micro has reported about a new script that deletes other malware in Linux systems and installs a different cryptomining malware into these systems.

Moreover, this script would also remove any coin mining software present in the system. When conducting a routine log check in its honeypot mechanisms, Trend Micro found this suspicious looking script downloading a binary.

Similar to KORKERDS

According to a blog by the firm, the script had similar features of another Linux rootkit program KORKERDS except for a few differences in functionality.

“We also looked at an analyzed code of KORKERDS modified and collected in November 2018 and found them almost the same except for a few additions and notable omissions. Compared to KORKERDS, the new script does not uninstall security products found in the system and does not install a rootkit. Instead, the KORKERDS miner and the rootkit component are included in the kill list. Basically, the new script deletes the components and mining process of the malware whose code it copied.” read the blog.

In addition to that, the script downloads a binary of a modified version of the cryptocurrency miner XMR-Stak, a universal Stratum pool miner that supports CPUs, AMD, and NVIDIA GPUs for Cryptonight currencies.

Besides downloading the cryptomining malware, the malicious script also adds itself to the crontabs to bypass detection and survive reboots and deletion.

Ultimately, the mining malware ends up relying on the system's resources (GPU and CPU), thus slowing them down.