Trojan Goes Cryptocurrency Mining

Thursday, August 11, 2016 @ 03:08 PM gHale


A new Linux Trojan can run a cryptocurrency mining program on an infected computer, researchers said.

Called Linux.Lady.1, the malware uses Google’s Go programming language and libraries available on GitHub, said researchers at antivirus company, Dr.Web.

RELATED STORIES
Trojan in Google Play Android Apps
APT Targets Energy, Pharma Industries
New Insider Threat Trojan
Trojan Converts PC into Proxy Server
Trojan Reappears after 9 Years

Attackers first used Go to create malware in 2012, but it just hasn’t gained any traction over the years.

Once it infects a system, the Linux malware collects information on the infected machine, including the operating system, CPUs and processes, the researchers said in a post.

The harvested data goes back to a command and control (C&C) server, which provides a configuration file for downloading a cryptocurrency mining application.

The sample analyzed by Dr.Web delivered an application designed for Monero (XMR) mining. Monero is an open source cryptocurrency currently valued at $2 per unit, but unlike Bitcoin, it can still end up mined using personal computers.

Researchers also said Linux.Lady.1 is capable of spreading to other Linux computers on the infected network. It does this by attempting to connect to remote hosts over port 6379 without a password. Researchers said the attackers are hoping there was a poor configuration of the host.

If the connection is successful, Linux.Lady.1 downloads a script from a specified URL and adds it to the Cron scheduler of the infected device. This script, detected by Dr.Web as Linux.DownLoader.196, is responsible for downloading and installing a copy of the Linux Trojan on the compromised device.