Analysis by: Arianne Grace Dela Cruz

ALIASES:

LINUX.CoinMiner (IKARUS); LINUX/Kinsing.a (NAI)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Coinminer

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

  TECHNICAL DETAILS

File Size: 14,643,200 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 28 Dec 2020

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Coinminer adds the following folders:

  • /tmp/.ICEd-unix

It drops the following files:

  • /tmp/.ICEd-unix/uuid

It drops and executes the following files:

  • /tmp/kdevtmpfsi

Backdoor Routine

This Coinminer executes the following commands from a remote malicious user:

  • Download and execute a file
  • Update downloaded files
  • Execute a command
  • Execute a command and send output to server
  • Create an HTTP request
  • Create a TCP request
  • Brute-force Redis instances
  • Execute MASSCAN IP Port Scanner
    • Drops firewire.sh to download and execute the masscan tool

Process Termination

This Coinminer terminates the following processes if found running in the affected system's memory:

  • kdevtmpfsi

Information Theft

This Coinminer gathers the following data:

  • OS Version
  • OS Name
  • OS Architecture
  • Product Name
  • Product Version
  • Product Serial
  • Product UUID
  • Board Vendor
  • Board Name
  • Board Version
  • Board Serial
  • Board Asset Tag
  • Chassis Vendor
  • Chassis Type
  • Chassis Version
  • Chassis Serial
  • Chassis Asset Tag
  • Bios Vendor
  • Bios Version
  • Bios Date
  • Sys Vendor
  • Kernel Version

Other Details

This Coinminer does the following:

  • This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information:
    • {BLOCKED}.53.140
    • {BLOCKED}102.77
    • {BLOCKED}48.183
    • {BLOCKED}77.79
    • {BLOCKED}179.88
    • {BLOCKED}154.208
    • {BLOCKED}.150.99
    • {BLOCKED}46.81
    • {BLOCKED}2.107
    • {BLOCKED}.224.182
    • {BLOCKED}.179.225
    • {BLOCKED}.224.21
    • {BLOCKED}.23.210
    • {BLOCKED}238.176
    • {BLOCKED}159.2
    • {BLOCKED}220.193
  • This backdoor receives its commands via HTTP GET to the following URL:
    • {Server}/GET

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 17.248.04
FIRST VSAPI PATTERN DATE: 12 Dec 2021
VSAPI OPR PATTERN File: 17.249.00
VSAPI OPR PATTERN Date: 13 Dec 2021

Scan your computer with your Trend Micro product to delete files detected as Coinminer.Linux.KINSING.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.