Coinminer.Linux.SKIDMAP.WGM

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Este malware se elimina tras la ejecución.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• /usr/bin/kaudited → Only if existing and matches MD5 hash
• /usr/bin/pamdicks.org → Coinminer Payload
• /usr/bin/pamdicks → Coinminer Payload
• /lib64/security/pam_unix.so → if 64-bit, compromised pam_unix.so file
• /lib/x86_64-linux-gnu/security/pam_unix.so → if 32-bit, compromised pam_unix.so file

Agrega los procesos siguientes:

• /usr/bin/pamdicks

Otros detalles

Hace lo siguiente:

• It checks for the presence of the following files:
  • /lib64/security/pam_unix.so
  • /lib/x86_64-linux-gnu/security/pam_unix.so.
  • If present, it will replace it with a malicious copy of "pam_unix.so", otherwise it will create its own "pam_unix.so"
• It checks if setenforce is running; if found running, it will execute the following command:
  • execute (setenforce 0)
• It sets the following configurations if /etc/selinux/config is present:
  • SELINUX=disabled
  • SELINUXTYPE=targeted, to disabled setenforce
• It checks for the first process id -100 in /var/run/bioset is running. If the process id is not running the malware will create an additional process of itself.
• It connects to the following mining pools:
  • pool.cpuminerpool.com:443
  • pool.minexmr.com:80
  • pool.dero.fairhash.org:1555
  • pool.cpuminerpool.com
  • pool.minexmr.com
  • de.minexmr.com:5555
  • derol.cpuminerpool.com:443
  • dero.miner.rocks:30182
  • dero.cpuminerpool.com
  • dero.miner.rocks
• It accepts the following parameters:
  • -o, --url=URL URL of mining server
  • -a, --algo=ALGO mining algorithm https://xmrig.com/docs/algorithms
  • --coin=COIN specify coin instead of algorithm
  • -u, --user=USERNAME username for mining server
  • -p, --pass=PASSWORD password for mining server
  • -O, --userpass=U:P username:password pair for mining server
  • -x, --proxy=HOST:PORT connect through a SOCKS5 proxy
  • -k, --keepalive send keepalived packet for prevent timeout (needs pool support)
  • --nicehash enable nicehash.com support
  • --rig-id=ID rig identifier for pool-side statistics (needs pool support)
  • -r, --retries=N number of times to retry before switch to backup server (default: 5)
  • -R, --retry-pause=N time to pause between retries (default: 5)
  • --user-agent set custom user-agent string for pool
  • --donate-level=N donate level, default 5%% (5 minutes in 100 minutes)
  • --donate-over-proxy=N control donate over xmrig-proxy feature
  • --no-cpu disable CPU mining backend
  • -t, --threads=N number of CPU threads
  • -v, --av=N algorithm variation, 0 auto select
  • --cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
  • --cpu-priority set process priority (0 idle, 2 normal to 5 highest)
  • --cpu-max-threads-hint=N maximum CPU threads count (in percentage) hint for autoconfig
  • --cpu-memory-pool=N number of 2 MB pages for persistent memory pool, -1 (auto), 0 (disable)
  • --cpu-no-yield prefer maximum hashrate rather than system response/stability
  • --no-huge-pages disable huge pages support
  • --asm=ASM ASM optimizations, possible values: auto, none, intel, ryzen, bulldozer
  • --randomx-init=N threads count to initialize RandomX dataset
  • --randomx-no-numa disable NUMA support for RandomX
  • --randomx-mode=MODE RandomX mode: auto, fast, light
  • --randomx-1gb-pages use 1GB hugepages for dataset (Linux only)
  • --randomx-wrmsr=N write custom value (0-15) to Intel MSR register 0x1a4 or disable MSR mod (-1)
  • --randomx-no-rdmsr disable reverting initial MSR values on exit
  • --astrobwt-max-size=N skip hashes with large stage 2 size, default: 550, min: 400, max: 1200
  • --astrobwt-avx2 enable AVX2 optimizations for AstroBWT algorithm
  • -S, --syslog use system log for output messages
  • -l, --log-file=FILE log all output to a file
  • --print-time=N print hashrate report every N seconds
  • --no-color disable colored output
  • --verbose verbose output
  • -c, --config=FILE load a JSON-format configuration file
  • -B, --background run the miner in the background
  • -V, --version output version information and exit
  • -h, --help display this help and exit
  • --dry-run test configuration and exit
  • --export-topology export hwloc topology to a XML file and exit
• It executes itself with the following options:
  • -B → Run the miner in the background
  • -a → Mining Algorithm
  • -o → URL of mining server
  • -u → Username
  • -p → Password
  • -k → Keepalive

Este malware se elimina tras la ejecución.