The Trojan Linux.BtcMine.174 reads passwords, deactivates the antivirus, spreads via SSH and mines Monero.
In general, there are fewer malware for Linux than for Windows machines, but also the malware used here over time more complex and mature. So has the Russian antivirus manufacturer Dr. Web, according to a report by Zdnet found a Trojan, it consists of about 1000 lines of code.
The Trojan called Linux.BtcMine.174 first copies itself to a folder for which it has write permissions and then downloads additional modules. Once in the system, it gets the root privileges and takes control of the Linux OS. In addition, the Trojan adds itself as an autorun feature, downloads a rootkit and executes it: for example, it can read passwords entered by the user.
Cryptomining via Trojan
Then he does what he was written for: he uses the computing power of the PC to mine the krypro currency Monero. So that he does not have to share the power with anyone, he previously deactivates several other Trojans, which are also supposed to be digging cryptocurrencies.
But that’s not all: In addition, Linux.BtcMine.174 deactivates various antivirus solutions that run on the computer. According to Dr. For example, processes such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord were disabled by the Trojan. Finally, the Trojan tries to copy itself over the SSH connection to computers connected to the infected device.
Dr. Web has loaded Trojans file hashes on GitHub to help those system administrators who want to search their systems for the relatively new threat.
image by shutterstock
The post Linux.BtcMine.174 New Linux Cryptominer steals the root password appeared first on MinerNews.
Virtual currency is in many countries not legal tender, or is not backed by the government, and accounts and value balances are not subject to consumer protections. The information does not constitute investment advice or an offer to invest.
MinerNews.io is is not responsible for the content of external sites and feeds. Guest posts, articles or PRs are not always flagged as this!