Analysis by: Karen Ivy Titiwa

ALIASES:

HEUR:RiskTool.Linux.BitCoinMiner.n(KASPERSKY); ELF:BitCoinMiner-CE [Tool](AVAST)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Coinminer

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 2,622,916 bytes
File Type: , ELF
Memory Resident: Yes
Initial Samples Received Date: 28 Aug 2020

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Information Theft

This Coinminer gathers the following data:

  • Product Name
  • Product Version
  • Product Serial
  • Product UUID
  • Board Vendor
  • Board Name
  • Board Version
  • Board Serial
  • Board Asset Tag
  • Chassis Vendor
  • Chassis Type
  • Chassis Version
  • Chassis Serial
  • Chassis Asset Tag
  • Bios Vendor
  • Bios Version
  • Bios Date
  • Sys Vendor
  • Kernel Version

Other Details

This Coinminer does the following:

  • It accepts the following parameters:
    • -o
      • --url=URL - URL of mining server
    • -a
      • --algo=ALGO - mining algorithm https://xmrig.com/docs/algorithms
      • --coin=COIN - specify coin instead of algorithm
    • -u
      • --user=USERNAME - username for mining server
    • -p
      • --pass=PASSWORD - password for mining server
    • -O
      • --userpass=U:P - username:password pair for mining server
    • -k
      • --keepalive - send keepalived packet for prevent timeout (needs pool support)
      • --nicehash - enable nicehash.com support
      • --rig-id=ID - rig identifier for pool-side statistics (needs pool support)
      • --tls - enable SSL/TLS support (needs pool support)
      • --tls-fingerprint=HEX - pool TLS certificate fingerprint for strict certificate pinning
      • --daemon - use daemon RPC instead of pool for solo mining
      • --daemon-poll-interval=N - daemon poll interval in milliseconds (default: 1000)
      • --self-select=URL - self-select block templates from URL
    • -r
      • --retries=N - number of times to retry before switch to backup server (default: 5)
    • -R
      • --retry-pause=N - time to pause between retries (default: 5)
      • --user-agent - set custom user-agent string for pool
      • --donate-level=N- donate level, default 5%% (5 minutes in 100 minutes)
      • --donate-over-proxy=N - control donate over xmrig-proxy feature
      • --no-cpu - disable CPU mining backend
    • -t
      • --threads=N - number of CPU threads
    • -v
      • --av=N - algorithm variation, 0 auto select
      • --cpu-affinity - set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
      • --cpu-priority - set process priority (0 idle, 2 normal to 5 highest)
      • --cpu-max-threads-hint=N - maximum CPU threads count (in percentage) hint for autoconfig
      • --cpu-memory-pool=N - number of 2 MB pages for persistent memory pool, -1 (auto), 0 (disable)
      • --no-huge-pages - disable huge pages support
      • --asm=ASM - ASM optimizations, possible values: auto, none, intel, ryzen, bulldozer
      • --randomx-init=N - threads count to initialize RandomX dataset
      • --randomx-no-numa - disable NUMA support for RandomX
      • --api-worker-id=ID - custom worker-id for API
      • --api-id=ID - custom instance ID for API
      • --http-host=HOST- bind host for HTTP API (default: 127.0.0.1)
      • --http-port=N - bind port for HTTP API
      • --http-access-token=T- access token for HTTP API
      • --http-no-restricted - enable full remote access to HTTP API (only if access token set)
      • --opencl - enable OpenCL mining backend
      • --opencl-devices=N - list of OpenCL devices to use
      • --opencl-platform=N- OpenCL platform index or name
      • --opencl-loader=N - path to OpenCL-ICD-Loader (OpenCL.dll or libOpenCL.so)
      • --opencl-no-cache - disable OpenCL cache
      • --print-platforms - print available OpenCL platforms and exit
    • -S
      • --syslog - use system log for output messages
    • -l
      • --log-file=FILE - log all output to a file
      • --print-time=N - print hashrate report every N seconds
      • --no-color - disable colored output
    • -c
      • --config=FILE - load a JSON-format configuration file
    • -B
      • --background - run the miner in the background
    • -V
      • --version - output version information and exit
    • -h
      • --help - display this help and exit
      • --dry-run - test configuration and exit
      • --export-topology - export hwloc topology to a XML file and exit
  • Supported algo options:
    • cryptonight/0
    • cryptonight
    • cryptonight/1
    • cryptonight-monerov7
    • cryptonight_v7
    • cryptonight/2
    • cryptonight-monerov8
    • cryptonight_v8
    • cryptonight/r
    • cryptonight_r
    • cryptonight/fast
    • cryptonight/msr
    • cryptonight/half
    • cryptonight/xao
    • cryptonight_alloy
    • cryptonight/rto
    • cryptonight/rwz
    • cryptonight/zls
    • cryptonight/double
    • cryptonight-lite/0
    • cryptonight-lite/1
    • cryptonight-lite
    • cryptonight-light
    • cryptonight_lite
    • cryptonight-aeonv7
    • cryptonight_lite_v7
    • cryptonight-heavy/0
    • cryptonight-heavy
    • cryptonight_heavy
    • cryptonight-heavy/xhv
    • cryptonight_haven
    • cryptonight-heavy/tube
    • cryptonight-bittube2
    • cryptonight-pico
    • cryptonight-pico/trtl
    • cryptonight-turtle
    • cryptonight-ultralite
    • cryptonight_turtle
    • randomx/0
    • randomx/test
    • RandomX
    • randomx/wow
    • RandomWOW
    • randomx/loki
    • RandomXL
    • randomx/arq
    • RandomARQ
    • argon2/chukwa
    • argon2/wrkz
    • RandomWOW
    • RandomXL
    • RandomARQ
    • RandomX
  • Supported coin options:
    • monero
    • arqma
  • Reads the information contained in the following files:
    • /sys/fs/cgroup/cpuset//cpuset.cpus
    • /sys/fs/cgroup/cpuset//cpuset.mems
    • /sys/devices/system/cpu/online
    • /sys/bus/cpu/devices/cpu0/topology/thread_siblings
    • /sys/bus/cpu/devices/cpu0/topology/die_cpus
    • /sys/bus/cpu/devices/cpu0/topology/core_siblings
    • /sys/bus/cpu/devices/cpu0/topology/physical_package_id
    • /sys/bus/cpu/devices/cpu0/index0/level
    • /sys/devices/system/cpu/possible
    • /sys/fs/cgroup/cpuset//cpuset.cpus
    • /sys/fs/cgroup/cpuset//cpuset/mems
    • /sys/devices/system/cpu/online
    • /sys/bus/cpu/devices/cpu{0-4}/topology/package_cpus
    • /sys/bus/cpu/devices/cpu{0-4}/topology/core_cpus
    • /sys/bus/cpu/devices/cpu{0-4}/topology/thread_siblings
    • /sys/bus/node/devices/node{0-4}/cpumap
    • /sys/bus/cpu/devices
    • /sys/bus/cpu/devices/cpu{0-4}/topology
    • /sys/bus/cpu/devices/cpu{0-4}/topology/core_siblings
    • /sys/bus/cpu/devices/cpu{0-4}/online
    • /sys/bus/cpu/devices/cpu{0-4}/topology/physical_package_id
    • /sys/bus/cpu/devices/cpu{0-4}/topology/die_cpu
    • /sys/bus/cpu/devices/cpu{0-4}/topology/core_id
    • /sys/bus/cpu/devices/cpu{0-4}/topology/book_siblings
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/level
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/size
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/coherency_line_size
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/number_of_sets
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/physical_line_partition
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/shared_cpu_map
    • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/type
    • /sys/kernel/mm/hugepages
    • /sys/bus/node/devices
    • /sys/bus/node/devices/node{0-4}/hugepages
  • Check the directory of running processes

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 16.198.04
FIRST VSAPI PATTERN DATE: 31 Aug 2020
VSAPI OPR PATTERN File: 16.199.00
VSAPI OPR PATTERN Date: 01 Sep 2020

Scan your computer with your Trend Micro product to delete files detected as Coinminer.Linux.MALXMR.UWELD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.