Linux.BtcMine.174 New Linux Cryptominer steals the root password


The Trojan Linux.BtcMine.174 reads passwords, deactivates the antivirus, spreads via SSH and mines Monero.

In general, there are fewer malware for Linux than for Windows machines, but also the malware used here over time more complex and mature. So has the Russian antivirus manufacturer Dr. Web, according to a report by Zdnet found a Trojan, it consists of about 1000 lines of code.

The Trojan called Linux.BtcMine.174 first copies itself to a folder for which it has write permissions and then downloads additional modules. Once in the system, it gets the root privileges and takes control of the Linux OS. In addition, the Trojan adds itself as an autorun feature, downloads a rootkit and executes it: for example, it can read passwords entered by the user.

Cryptomining via Trojan

Then he does what he was written for: he uses the computing power of the PC to mine the krypro currency Monero. So that he does not have to share the power with anyone, he previously deactivates several other Trojans, which are also supposed to be digging cryptocurrencies.

But that’s not all: In addition, Linux.BtcMine.174 deactivates various antivirus solutions that run on the computer. According to Dr. For example, processes such as safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord were disabled by the Trojan. Finally, the Trojan tries to copy itself over the SSH connection to computers connected to the infected device.

Dr. Web has loaded Trojans file hashes on GitHub to help those system administrators who want to search their systems for the relatively new threat.

image by shutterstock