Researchers at antivirus company Dr.Web have discovered a malicious Monero cryptominer specifically designed for Linux machines, with additional functionality that also allows it to operate as a backdoor.
Named Linux.BtcMine.174, the trojan is described as a shell script containing over 1,000 lines of code. To receive its malicious commands from the attackers, the malware downloads and runs a second trojan, Linux.BackDoor.Gates.9. “This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out,” explains a Dr.Web virus database alert.
The trojan seeks root permissions by using the Linux kernel exploits DirtyCow (CVE-2016-5195) and Linux.Exploit.CVE-2013-2094 to escalate its privileges. This allows it to download and launch a shell script-based rootkit with capabilities that include hiding files and stealing user-entered passwords for the “su” command (used in Linux to switch from one account to another).
Once it achieves root permissions, Linux.BtcMine.174 stops any running anti-virus services it is programmed to avoid, and removes their files. Similarly, the malware also seeks out and removes any other competing miners that may already have been installed on the infected machines.
The trojan also attempts to spread to other machines by collecting data on the various hosts infected users have previously connected with via Secure Shell (SSH), and then attacking those hosts.