Trend Micro discovered an unusual hidden miner under Linux

[Mazda3]

Analysts specializing in cybersecurity Japanese company Trend Micro have discovered a cryptocurrency miner KORKERDS, which is characterized by somewhat atypical behavior.

Researchers have not yet determined exactly how the threat spreads. However, most likely, its download occurs after installing some software or through a compromised plugin.

Researchers assigned the Coinminer.Linux.KORKERDS.AB identifier to the miner (XMR), a mining cryptocurrency miner. It is noteworthy that another component is also used - the rootkit (Rootkit.Linux.KORKERDS.AA), which “hides” the mining process from monitoring tools.

After starting the work of the hidden miner in the system, the CPU load increases to 100%. However, the user is not easy to find out the reason for this. The situation is complicated by a rootkit that uses hooks for the readdir and readdir64 APIs, and the libc library. The normal library file is overwritten, with readdir being replaced with a fake version.

The malicious version of readdir is used to hide the mining process (kworkerds). After that, it becomes much more difficult to identify a miner, despite the fact that the processor load indicates suspicious activity.

According to the researchers, the new miner may pose a threat not only to servers, but also to ordinary Linux users.
A source: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth