Mining virus YiluzhuanqianSer can infect Linux through open Internet ports
A new virus which mines Monero and Ethereum for hackers by using victims’ computers has been discovered by TrendMicro. In a detailed post regarding the problem, experts describe how the virus uses the Remote Desktop Protocol by searching for open Internet ports - 22, 2222 and 502 (the list is not full). Cybersecurity analysts first found it after it got baited by their own honeypot software.
Through various means, the malicious script downloads the actual miner and then ensures its stable work. The virus authors might originate from Asia, as the origin website is a Chinese collocation about money - YiluzhuanqianSer.
The virus can be prevented through TrendMicro products, as the website boasts. Another efficient method of defense is not to click questionable links. To detect the virus manually, one can use the following clues.
Files
mservice_2_5.sh
yilu.tgz
Yilu_2_5.tgz
URLs
hxxp://p1v24z97c[.]bkt[.]clouddn[.]com
hxxps://www[.]yiluzhuanqian[.]com/soft/linux/yilu_2_5[.]tgz
IPs
114.114.114.114
192.158.22.46
Destination ports
1993, 1992
SHA256 cryptographic keys (COINMINER_TOOLXMR.O-ELF)
- e4e718441bc379e011c012d98760636ec40e567ce95f621ce422f5054fc03a4a
- 2077c940e6b0be338d57137f972b36c05214b2c65076812e441149b904dfc1a8
- adb0399e0f45c86685e44516ea08cf785d840e7de4ef0ec9141d762c99a4d2fe
- 6bbb4842e4381e4b5f95c1c488a88b04268f17cc59113ce4cd897ecafd0aa94b
Image: TrendMicro