Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Virus writers spread miners for Linux and Windows

August 2, 2018

Cryptocurrency mining software that operates without a user’s knowledge has been spread among cybercriminals. The majority of them are designed for Windows; Linux miners are less frequent. This is a version that Doctor Web security researchers detected recently.

The malicious software and utilities designed to mine cryptocurrency that we will focus on in this article were downloaded on one of our “honeypots” (special servers that are used by Doctor Web specialists as decoys for cybercriminals). First such attacks on Linux servers were detected by security researcher at the beginning of May 2018. Cybercriminals connected to the server via the SSH protocol, picked out the login and password by searching for them in a dictionary (bruteforce). After successful authorization on the server, cybercriminals disabled the iptables utility that manages firewall operation. Then, cybercriminals downloaded a mining utility and its configuration file to the attacked server. To launch the utility, they edited the /etc/rc.local file contents. After that, they terminated the connection.

In June, cybercriminals changed this scheme and started using malicious software that has been added to the Dr.Web virus databases under the name Linux.BtcMine.82. This Trojan is written in Go. It is a dropper that contains a packed miner in its body. The dropper saves the miner to the disk and launches it. Such scheme considerably simplifies the attack scheme. The e-wallet number for transferring mined cryptocurrency is hardcoded in the malware’s body.

screenshot Linux.BtcMine.82 #drweb

Security researchers examined the cybercriminals’ server from which this Trojan was downloaded and detected several Windows miners there.

screenshot Linux.BtcMine.82 #drweb

The Windows miner version is a self-unpacking RAR archive that contains a configuration file, several VBS scripts to launch the miner, and a utility to mine cryptocurrency. Once the archive is launched, the utility is unpacked to the %SYSTEMROOT%\addins folder and registers as the SystemEsinesBreker service.

screenshot Linux.BtcMine.82 #drweb

screenshot Linux.BtcMine.82 #drweb

32-bit and 64-bit miner versions for Windows are detected by Dr.Web Anti-virus as Tool.BtcMine. Our users are under reliable protection from malicious activities of these programs.

More about this Trojan

#Honeypot #Linux #cryptocurrency #mining #Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124