Analysis by: John Anthony Banes
 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Hacking Tool may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  TECHNICAL DETAILS

File Size: 3,938,712 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 24 Dec 2017
Payload: Affects system's computing power

Arrival Details

This Hacking Tool may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by the following malware/grayware from remote sites:

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Other Details

This Hacking Tool does the following:

  • This hacking tool is a coin miner used to generate bitcoins and it requires credentials for the mining server.
  • The mining process eats up a system's computing power. As such, infected systems sustain increased wear and tear from processing coin blocks and the infected systems will work abnormally slow.
  • It accepts the following parameters:
    • --help → This message.
    • -c [ --config ] arg → Name of configuration file. Multiple configuration files allowed.
    • --compat-check arg → Exit right after compatibility checks with provided return code.
    • -t [ --threads ] arg → The number of threads for mining (default is to autodetect), when t<=0 use autodetect+t threads.
    • -M [ --mine ] arg → Mining target in YAM URI format (protocol, worker name, password, pool address, pool ports, coin type, mining parameters). Multiple mining targets allowed.
    • -P [ --mining-params ] arg → Mining parameters in parameter list format (coin:param1=value1¶m2=value2¶m3=value3. Multiple parameter groups allowed.
    • -W [ --worker-params ] arg → Worker parameters in parameter list format (worker_index:param1=value1¶m2=value2¶m3=value3. Multiple parameter groups allowed.
    • --compact-stats arg → Enable compact statistics output (uses less screen space).
    • --print-timestamps arg → Enable printing timestamps for every output line.
    • --proxy arg → Proxy server to use in format type://user:password@host:port (check documentation for supported proxy types and usage details).

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  SOLUTION

Minimum Scan Engine: 9.850
SSAPI PATTERN File: 1.905.00
SSAPI PATTERN Date: 28 Dec 2017

Scan your computer with your Trend Micro product to delete files detected as HKTL_COINMINE.GQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.