Malware Turns Servers into Cryptocurrency Mining Engines

By
Lester Coleman
August 19, 2016

A malware called Linux.Lady targets Redis servers that have been placed online without passwords and launches a cryptocurrency mining software, according to hackread.com.

According to Dr. Web, a Russian software retailer, Linux.Lady uses Google’s Go programming language and targets Redis servers that lack passwords from systems administrators. Dr. Web claims the malware can collect information about an infected computer and send it to the C&C server, download it and launch a cryptocurrency mining utility, then attack more computers on the network.

Turning Linux into Crypto Miners

The malware’s main purpose is to convert computers using Linux into cryptocurrency creators.

The malware cannot launch the mining program without the configuration file. Once the program launches, the malware identifies the external IP address of the infected machine and through the configuration file since the file contains data on websites that locate the IP addresses.

The Linux.Downloader.196 script downloads on the machine to further download the key payload. Linux.Lady then sends the data in the system to the C&C server.

The malware impacts the misconfigured Redis database servers that have not been password secured. There are about 30,000 servers operating this way at the present time.

Also read: Bitcoin payment processor BitPay warns against Trojan virus

Malware: Different Sizes and Shapes

A security researcher at Heimdal Security Financial, Andra Zaharia, said the malware comes in many sizes and shapes, but its goal is always to enrich the attacker financially as much as possible.

Zaharia said creating a Trojan to mine cryptocurrency is a bold initiative, especially considering it will use a lot of resources in the system it affects. Stealthiness might need to be compromised, she noted.

Considering the attack vectors used, the traffic filtering’s importance becomes obvious, she said. The chances an infection will take over the system can be reduced by blocking communication to the C&C servers.

Because the Trojan’s architecture is publicly posted on GitHub, cyber security researchers will likely find a way to counter the threat before it further spreads, Zaharia said.

Featured image from Shutterstock.

Tags: linux
Show comments