Less than a week until TNW València 🇪🇸 Get a last-minute 30% discount on your ticket

This article was published on January 17, 2019

Cryptocurrency mining malware has become self-aware (kinda)


Cryptocurrency mining malware has become self-aware (kinda)
Matthew Beedham
Story by

Matthew Beedham

Editor, SHIFT by TNW

Matthew is the editor of SHIFT. He likes electric cars, and other things with wheels, wings, or hulls. Matthew is the editor of SHIFT. He likes electric cars, and other things with wheels, wings, or hulls.

A common form of cryptocurrency mining malware has evolved and is now able to switch off security services to continue mining without being detected.

Security researchers at Palo Alto Networks’ Unit 42 discovered that the malware used by cryptojacking group “Rocke” is able to gain administrative privileges to Linux-based cloud servers and uninstall vital security programs. This means the malware can go on illicitly mining coins undetected.

Typically, if a piece of malware were to uninstall cloud-based security services, the system admin would be alerted. However, as the cryptojacker’s malware followed the official uninstall procedures of the security services in question, it remained undetected.

It seems this instance of cryptojacking malware is highly targeted, as it is designed to remove five pieces of cloud-based security services from Chinese firms Alibaba and Tencent.

According to Unit 42, the malware also kills any other preexisting mining processes that might be running on the server. It then adds internet protocol (IP) rules that block other cryptojacking software from working. The malware then downloads and runs the coin miner using a “preload” trick to hide the process from system admins.

The “preload” trick effectively runs the process before any other system processes to obscure its origin and keep it working on the server whilst remaining somewhat undetectable.

As netizens of the world wise-up to the threat of cryptojacking and keep their hardware and software up-to-date cryptojackers face an ever harder job. However, given the outright sneakiness of this malware, researchers at Unit 42 think we’ll be seeing a lot more attacks of this nature in the near future.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with