The trojan also installs a rootkit and another malware variant that can lead to denial-of-service conditions
Perhaps the malware variants that affect Linux users are not as common as threats to Windows users, but Linux malware becomes increasingly functional and complex, consider digital forensics specialists in the International Institute of Cyber Security.
The most recent sample of this trend is a trojan discovered this month by an antivirus developing firm; it is a malware that does not have a specific name yet, but has been tracked as Linux.BtcMine.174. This trojan is a little more complex than most functional malware in Linux, mainly due to the large amount of malicious functions it is capable of performing.
It’s a gigantic shell script of over a thousand lines of code. This script is the first file executed on an infected Linux system. The first thing it does is look for a folder on the disk with writing permissions to be copied, then the malware uses that folder to download other modules, as reported by the cybersecurity and digital forensics specialists.
When the trojan gets access to a foothold in the system, it uses the privilege escalation exploits CVE-2016-5195 (aka Dirty Cow) or CVE-2013-2094 to gain full access to the attacked operating system. The trojan is then configured as a local daemon, and even downloads the nohup utility to achieve this operation if the utility is not already present in the system.
Once the trojan extends its domain over the infected system, it begins with the execution of its main task, the silent cryptocurrency mining (cryptojacking). The trojan first scans the system looking for cryptomining processes of rival variants, ends them and finally downloads and begins the execution of its own Monero mining operation. Malware also downloads and executes additional malicious software, known as the Bill.Gates trojan, a known malware strain for denial-of-service (DDoS) attacks, but also includes backdoor-like functions.
The trojan is capable of performing even more functions, it also looks for process names associated with Linux-based antivirus software and will end its execution. Digital forensics specialists say they have seen trojans capable of stopping antivirus processes that have names such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.
Despite all the functions that the Linux.BtcMine.174 trojan is capable to perform, it seems that its developers were not satisfied. According to researchers in cybersecurity and digital forensics, the trojan is also added as an automatic execution entry to files such as /etc/rc.local,/etc/rc.d/… and /etc/cron.hourly; to then download and run a rootkit.
Specialists claim that this rootkit component has even more intrusive features, such as the ability to steal user-entered passwords and hide files on the system, network connections, and running processes.
As if it were not enough, the trojan will also run a function to gather information about the remote servers that the infected host has connected through SSH and try to connect to those machines as well, thus propagating the infection. Researchers believe this is the main method of distributing malware.