Linux cryptocurrency miners are installing rootkits to hide themselves

Rootkit component hides the crypto-mining process that causes high CPU usage from local, built-in Linux process monitoring utilities.
Written by Catalin Cimpanu, Contributor

Security researchers from Trend Micro have stumbled upon a new malware strain that mines cryptocurrency on Linux computers, but which is also different from previously seen cryptominers because it downloads a rootkit to alter the operating system's behavior and hide the unwanted high CPU usage that usually comes with cryptocurrency mining.

Currently, Trend Micro has not identified the way through which the malware --which they named KORKERDS-- infects systems, but they don't believe this recent wave of infections is the result of an intrusive mass-hacking campaign.

Instead, researchers believe crooks are using poisoned Linux applications that have been modified to silently download and install the KORKERDS cryptominers during the installation process of a legitimate app. Which app? Trend Micro hasn't figured that out yet.

But researcher did say that the KORKERDS samples they've recently analyzed would do more than just install a Monero miner --also downloading and installing a rootkit, which they described as "a slightly modified/repurposed version of publicly available code."

Image: Trend Micro

Besides allowing KORKERDS to survive OS reboots, the rootkit component also contained code a slightly strange feature.

Trend Micro says that KORKERDS' authors modified the rootkit to hide the cryptominer's main process from Linux's native process monitoring tools.

"The rootkit hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library," researchers said. "The rootkit will override the normal library file by replacing the normal readdir file with the rootkit's own version of readdir."

This malicious version of readdir works by hiding processes named "kworkerds" --which in this case is the cryptominers' process.

Linux process monitoring tools will still show 100 percent CPU usage, but admins won't be able to see (and kill) the kworkerds process causing the CPU resource consumption problems.


Linux process monitoring tool showing 100% CPU usage, but kworkerds process responsible for this problem

Image: Trend Micro

Trend Micro's KORKERDS report contains a technical breakdown of the malware's infection routine, including file names, processes, and file hashes that Linux users may be interested in tracking and using for debugging possibly-infected systems.

Based on the fact that KORKERDS is distributed inside legitimate apps, this also suggests the malware might also be a threat to Linux desktop users as well, and not only to servers, where almost all Linux cryptominers have been observed in the past two years.

Linux users weren't the only ones that have been targeted by sneaky cryptocurrency-mining malware. Trend Micro also published a second report yesterday on another malware strain that targeted Windows users and which also used various techniques in an attempt of staying hidden as much as possible on infected systems.

Related coverage:

Editorial standards