Cryptominers on Linux install rootkits to hide themselves

Trend Micro security researchers have discovered a new variant of malware that minets cryptographic currency on Linux computers. The malware distinguishes itself from others because it downloads a rootkit to change the behavior of the operating system and hides the unwanted high CPU consumption that comes with the mines.

The malware is called by Trend Micro KORKERDS. The organization has not yet been able to identify how the malware infects a system, but they do not think that the wave of infections is the result of a massive hacking campaign. The researchers think they have poisoned Linux applications that are adapted to quietly download and install the KORKERDS-miner during the installation process of a legitimate app. However, Trend Micro does not know which app it is.

The rootkit that is installed not only allows KORKERDS to survive the reboot of the operating system, but also contains a piece of code to hide the main process of the mineral from the process monitoring tools of Linux itself. “The rootkit links the readdir and readdir64 APIs of the libc library. The rootkit overwrites the normal library file by replacing the normal readdir file with its own version,” said the researchers.

The rogue version of readdir works by hiding processes called “kworkerds”, which is the process of the mineral. However, Linux tools show that 100 percent of the CPU is used, but administrators cannot see and stop the process that abuses the CPU.

Windows users

The malware may pose a threat not only to servers, but also to desktop users, as the malware spreads through legitimate apps. In addition, Trend Micro published a report on another variant of malware that focuses on Windows users and uses various techniques to hide on the infected system.