Palo Alto Networks Unit 42 researchers have revealed that a common form of cryptocurrency mining malware has evolved and now switches off security services to evade detection and continue mining.
The research unit revealed that the malware was used by cryptojacking group “Rocke” and can gain administrative access to Linux-based cloud servers. This enables it to uninstall vital security programs and continue illegal mining of cryptocurrencies undetected.
According to the blog post, the researchers stated that “we realized that these samples used by the Rocke group adopted a new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.”
Usually, the system admin would be notified once a malware uninstalls cloud-based security service. However, the Linux coin mining malware follows the official uninstall procedures of the security in question, and this allows it to remain undetected.
The researchers pointed out that the cryptojacking malware is highly targeted and is designed to eliminate five pieces of cloud-based security services from Chinese firms Alibaba and Tencent.
The report stated that “These products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the Cloud Workload Protection Platforms market defined by Gartner.”
The researchers revealed that the malware also removes other preexisting mining processes that are active on the service. It then includes internet protocol (IP) rules that will prevent other cryptojacking software from functioning. The malware proceeds to download and run using a “preload” trick to disguise the process from system admins.
The preload feature allows the malware to run before any other system processes. This helps hide its origin and keep it working on the server undetected.
Cryptojacking has become harder to execute as more people are gaining awareness and keeping their hardware and software up-to-date. The researchers pointed out that more malware like the Linux coin mining malware will be encountered in the near future.