Analysts specializing in cybersecurity Japanese company Trend Micro have discovered a cryptocurrency miner KORKERDS, which is characterized by somewhat atypical behavior. This is reported on the company's website .
Researchers have not yet determined exactly how the threat spreads. However, most likely, its download occurs after installing some software or through a compromised plugin.
Researchers assigned the Coinminer.Linux.KORKERDS.AB identifier to the miner (XMR), a mining cryptocurrency miner. It is noteworthy that another component is also used – the rootkit (Rootkit.Linux.KORKERDS.AA), which “hides” the mining process from monitoring tools.
After starting the work of the hidden miner in the system, the CPU load increases to 100%. However, the user is not easy to find out the reason for this. The situation is complicated by a rootkit that uses hooks for the readdir and readdir64 APIs, and the libc library. The normal library file is overwritten, with readdir being replaced with a fake version.
The malicious version of readdir is used to hide the mining process (kworkerds). After that, it becomes much more difficult to identify a miner, despite the fact that the processor load indicates suspicious activity.
According to the researchers, the new miner may pose a threat not only to servers, but also to ordinary Linux users.
Recall that in June, analysts of Palo Alto Networks reported that 5% of Monero coins were mined using hidden mining .
Subscribe to BlockchainJournal news in Telegram: BlockchainJournal Live – the entire news feed, BlockchainJournal – the most important news and polls.
BlockchainJournal.news
