New Linux Malware Installs Bitcoin Mining Software on Infected Device

Beware of Linux.Lady malware- It Converts Linux-based PCs into Crypto-Currency Miners

Security firms have been on a high alert since the beginning of 2016 because of the plethora of scam campaigns and malware emerging on the face of the Internet every now and then. This report is about another such malicious malware that has been designed to exploit defenseless Redis servers.

According to the Russia-based antivirus software retailer Dr. Web the malware, which has been named Linux.Lady is designed with Google’s Go programming language while the malware particularly targets those Redis servers that have been placed online without any passwords by system admins.

Dr. Web states that:

“This malware possesses the ability to collect information about an infected computer and transfer it to the C&C server, download and launch a crypto-currency mining utility, and attack other computers on the network to install its own copy on them.”

The main purpose of this malware is to convert computers that use Linux into crypto-currency generators. It basically performs three key functions;

* It gains information about an infected computer and sends it to the C&C server (command and control)

* It downloads and launches a crypto-currency mining program after receiving a configuration file from the C&C server

* Searches for other computers on the network to install another copy of the cryptocurrency miner program and looks for Monero, a type of cryptocurrency

The configuration file is integral to the functioning of this malware because without it the malware cannot launch the crypto-currency mining program. Once this is done, it identifies the external IP address of the infected machine as well through the configuration file because the file contains information about special websites that locate the IP addresses.

After performing these three tasks, the Linux.Downloader.196 script is downloaded on the machine in order to further download the key payload and then Linux.Lady sends out the system’s data to the C&C server.

Particularly, this malware affects the misconfigured Redis database servers that haven’t been secured with a password. Reportedly, there are roughly 30,000 such servers operating online at the moment.

Andra Zaharia, the security researcher from Heimdal Security Financial told HackRead that malware comes in many shapes and sizes, but its objective is always the same: to make as much money as possible for the attacker.

”Creating a Trojan to mine for cryptocurrency is a bold task, especially since it will heavily use the resources of the system it affects, so stealthiness may have to be compromised,” she said.

”Given the attack vectors use in this context, the importance of traffic filtering becomes evident once again. Blocking communication to C&C servers can greatly reduce the chances that an infection successfully takes over the system. Since the Trojan’s architecture is all publicly posted on GitHub, cyber security researchers will most likely find a way to combat this threat before it spreads any further,” added Zaharia.

The Trojan’s architecture consists of various libraries published on GitHub, a popular collaborative application development service / Source: Dr.Web
The Trojan’s architecture consists of various libraries published on GitHub, a popular collaborative application development service / Source: Dr.Web
Related Posts