Cloud service providers, like, for instance, Huawei Cloud, are now targeted by some new variant of a past crypto-mining malware. This is Linux-based and its initial version started its activities in 2020 when the victims were Docker containers.
TrendMicro researchers were the ones who discovered this new version of the known crypto-mining malware. Therefore, it makes use of old features, but this new campaign brings also evolution and enhanced capabilities.
What’s New with This Crypto-mining Malware? The Infection Process
As described by researchers in their report, the recent version of this Linux crypto-mining malware has new features:
The function that creates firewalls rules was commented out in the new samples; It still performs a network scanner dropping. This has the goal of host mapping using API-relevant ports; Only cloud environments are targeted this time; It looks for and removes previous malicious cryptojacking scripts; The coin miner will target a Linux system and infect it, so it removes created users; Once the previous users are deleted (created by other hackers), the cryptojackers add their own users; These go on the sudoers list, thus device root access is achieved; A personal ssh-RSA key is used for system changes and file permissions