Request a Demo
Expected cyber-crime techniques for 2019
November 26, 2018
Rewterz
Rewterz Threat ADVISORY – CVE-2018-19406 & CVE-2018-19407 – Linux Kernel Denial of Service vulnerabilities
November 27, 2018

ADVISORY ON CVE-2013-2094 & CVE-2016-5195 – Linux Crypto-miner trojan and privilege escalation exploits

A New Linux crypto-miner executes shell on Linux and exploits privilege escalation vulnerabilities to steal root password and disables antivirus.

 

 

IMPACT:  MEDIUM

 

 

PUBLISH DATE:  26-11-2018

 

 

OVERVIEW

 

 

It has been identified that a Linux crypto-miner has the ability to steal root passwords and disable the system’s antivirus.

 

The trojan first identifies and kills all rival cryptocurrency-mining malware families, and then downloads and starts its own Monero-mining operation. Trojan also installs a rootkit and another strain of malware that can execute DDoS attacks.

 

 

ANALYSIS

 

 

This new malware strain doesn’t have a distinctive name and is being tracked by its generic detection name of Linux.BtcMine.174.

But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.

 

The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules.

 

Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

 

 

INDICATORS OF COMPROMISE

 

 

SHA1 file hashes for the trojan’s various components are available on GitHub.

 

https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174

 

 

Here’s further analysis of the Trojan in case system admins want to scan their systems.

https://vms.drweb.com/virus/?i=17645163

 

 

AFFECTED PRODUCTS

 

 

Red Hat Virtualization 4.x Red Hat Enterprise Linux Desktop 7

Red Hat Enterprise Linux HPC Node 7

Red Hat Enterprise Linux Server 7

Red Hat Enterprise Linux Workstation 7

 

 

UPDATES

 

 

Red Hat Network provides the updated packages via the following links.

http://rhn.redhat.com

https://access.redhat.com/errata/RHSA-2018:3092

 

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.