A common form of cryptocurrency mining malware has evolved and is now able to switch off security services to continue mining without being detected.
Security researchers at Palo Alto Networks’ Unit 42 discovered that the malware used by cryptojacking group “Rocke” is able to gain administrative privileges to Linux-based cloud servers and uninstall vital security programs. This means the malware can go on illicitly mining coins undetected.
Typically, if a piece of malware were to uninstall cloud-based security services, the system admin would be alerted. However, as the cryptojacker’s malware followed the official uninstall procedures of the security services in question, it remained undetected.
It seems this instance of cryptojacking malware is highly targeted, as it is designed to remove five pieces of cloud-based security services from Chinese firms Alibaba and Tencent.
According to Unit 42, the malware also kills any other preexisting mining processes that might be running on the server. It then adds internet protocol (IP) rules that block other cryptojacking software from working. The malware then downloads and runs the coin miner using a “preload” trick to hide the process from system admins.
The “preload” trick effectively runs the process before any other system processes to obscure its origin and keep it working on the server whilst remaining somewhat undetectable.
As netizens of the world wise-up to the threat of cryptojacking and keep their hardware and software up-to-date cryptojackers face an ever harder job. However, given the outright sneakiness of this malware, researchers at Unit 42 think we’ll be seeing a lot more attacks of this nature in the near future.
Published January 17, 2019 — 15:18 UTC