Coinminer.SH.HADGLIDER.A
Linux
Threat Type: Coinminer
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
However, as of this writing, the said sites are inaccessible. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.
TECHNICAL DETAILS
Arrival Details
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Coinminer does the following:
- It tries to connect to an arbitrary URL/IP randomly to get a list of IP addresses and tries to connect to it and scans for the following open Docker ports:
- 2375
- 2376
- 2377
- 4244
- 4243
- Once it is connected to an arbitrary URL/IP, it connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/init.sh - detected asTrojan.SH.HADGLIDER.A
However, as of this writing, the said sites are inaccessible.
It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.
SOLUTION
Scan your computer with your Trend Micro product to delete files detected as Coinminer.SH.HADGLIDER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.