As the popularity of cryptocurrency rises, so does the amount of cryptominer Tojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization.
To make it harder to spot a cryptominer process that is utilizing all of the CPU, a new variant has been discovered for Linux that attempts to hide its presence by utilizing a rootkit.
According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.
“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” stated a report by TrendMicro. “It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”
While it is not known what software is installing this miner, TrendMicro believes it is a unofficial or compromised plugin such as a media-streaming software. When installed, the executable will download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide the miners presence.
In the variant detected by TrendMicro, the cryptominer will be installed to /tmp/kworkerds and executed. When the rootkit is not installed, you can easily see the kworkerds process utilizing 100% of the CPU.
Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.
As you can see, utilizing a rootkit to hide a cryptominer can be an effective tool to avoid its removal. Unfortunately, this will also be a nightmare for system administrators and users who cannot figure out why their computer is using so much CPU.