Light Dark
February 11, 2019 By David Bisson 2 min read

Security analysts identified a sample of Linux crypto-mining malware that kills any other malicious miners upon installation.

Trend Micro researchers discovered the malware while doing a routine log check after spotting a script within one of their honeypots that began downloading a binary connected to a domain. This binary turned out to be a modified version of the cryptocurrency miner XMR-Stak.

The script didn’t stop at downloading this sample of Linux malware, which Trend Micro detected as Coinminer.Linux.MALXMR.UWEIU. It removed other crypto-mining malware and related services affecting the machine at the time of infection. The malware also created new directories and files and stopped processes that shared connections with known IP addresses.

A Likeness to Other Threats

In their analysis of Coinminer.Linux.MALXMR.UWEIU, Trend Micro found that the malware’s script shares certain attributes with other threats it previously detected. Specifically, researchers observed similarities between this malicious coin miner and Xbash, a malware family discovered by Trend Micro in September 2018 that combines ransomware, cryptocurrency mining, worm and scanner capabilities in its attacks against Linux and Windows servers.

Researchers also noted that the threat’s code is nearly identical to that of KORKERDS, crypto-mining malware Trend Micro uncovered back in November 2018. There are a few differences, however.

The new script simplified the routine by which KORKERDS downloads and executes files and loads the Linux coin malware sample. It also didn’t uninstall security solutions from or install a rootkit on the infected machine. In fact, the script’s kill list targeted both KORKERDS and its rootkit component. This move suggests that those who coded the script are attempting to maximize their profits while competing with the authors of KORKERDS.

Strengthen Your Crypto-Mining Malware Defenses

Security professionals can help defend against Linux crypto-mining malware by using an endpoint management and security platform capable of monitoring endpoints for suspicious behavior. Organizations should also leverage security information and event management (SIEM) tools that can notify security teams of high central processing unit (CPU) and graphics processing unit (GPU) usage — key indicators of cryptocurrency mining activities — during nonbusiness hours.

 |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature