Security Architecture, Endpoint/Device Security, IoT, Threat Management, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Bot infects connected devices with miner linked to Chinese money scam site

Researchers have uncovered a malware bot that infects Linux-based servers and connected devices with a cryptominer that appears to transfer funds to the operators of a Chinese money-making scam website.

According to a June 26 blog post from Trend Micro, the bot is associated with an IP address that is set to search for ports pertaining to the Secure Shell (SSH) protocol and Internet of Things (IoT) devices. However, in the observed attack, the bot focused devices communicating with SSH-based port 22 -- specifically those with an open and exploitable Remote Desktop Protocol (RDP) port.

Upon discovering a vulnerable device, the bot runs a wget command to download the script "" from a malicious website to a directory that install the cryptojacking malware. The domain name of this website, written in transliterated Chinese, translates to "earn money all the way," blog post authors and researchers Jindrich Karasek and Loseway Lu explain.

Trend Micro has identified the domain as a financial scam site to which Monero and Ethereum coins are funneled by the cryptominer, named YiluzhuanqianSerd. Users are tricked into installing the miner via social engineering tactics, the report continues.

"The attackers here appear to go the extra mile to cover up a mining operation with a seemingly run-of-the-mill scam site," write Karasek and Lu. "Even so, the adverse effect remains: Surreptitiously mining for cryptocurrency on users' devices consumes considerable amounts of electricity and exhausts computing power."

Although the Chinese website looks innocent enough at first glance, it actually contains a blog and video tutorial page detailing the malicious mining operation. And even if its link were to be blocked, "the attacker can just switch to another domain to continue operations without losing the potential scam site itself," the blog post explains.

Trend Micro further notes that before downloading the miner, the malicious bot contains a basic persistence mechanism added in its installer script, and configures Linux devices in such a way to enhance their computational power, thereby increasing mining hauls.

"Using botnets is perhaps one of the most prevalent ways for attackers looking into abusing the IoT for their own gain," the blog post states. "A single compromised device may not be powerful enough, but when the malware is spread in a bot-enabled fashion, an army of mining zombies might just prove lucrative down the road."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.