{
	"id": "30078211-f66f-42ae-9117-50c6235a607a",
	"created_at": "2026-04-06T03:35:36.434931Z",
	"updated_at": "2026-04-10T13:12:36.581963Z",
	"deleted_at": null,
	"sha1_hash": "bd45e0c692114c4896cbc2719ef3523ead91e278",
	"title": "War of Linux Cryptocurrency Miners A Battle for Resources",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 721891,
	"plain_text": "War of Linux Cryptocurrency Miners A Battle for Resources\r\nBy Alfredo Oliveira, David Fiser ( words)\r\nPublished: 2020-09-10 · Archived: 2026-04-06 02:52:36 UTC\r\nMalware\r\nThis blog will discuss the ruthless battle for computing power among the different cryptocurrency-mining\r\nmalware that target Linux systems. We also discuss the shifts in entry points that cover Docker environments and\r\napplications with open APIs.\r\nBy: Alfredo Oliveira, David Fiser Sep 10, 2020 Read time: 5 min (1314 words)\r\nSave to Folio\r\nThe Linux ecosystem is regarded as more secure and reliable than other operating systems, which possibly\r\nexplains why Google, NASA, and the US Department of Defense (DoD)open on a new tab utilize it for their\r\nonline infrastructures and systems. Unfortunately, the adoption of Linux systems isn’t just appealing to high-profile enterprises and organizations; it’s also an attractive target for cybercriminals.  \r\nThis blog will discuss the ruthless battle for computing power among the different cryptocurrency-mining\r\nmalware that target Linux systems. We also look at the attack chain, including shifts in entry points that cover\r\nDocker environments and applications with open APIs.\r\nCryptocurrency-mining malware persists, evolves\r\nCryptocurrency mining, which is in itself not malicious, can be likened to the way fortune seekers sought to find\r\ngold nuggets during the gold rush in the 1800s. However, this rush uses computers instead of picks and shovels,\r\nand miners are going for cryptocurrencies such as Bitcoin, Monero, Ethereum, and XRP instead of gold. As the\r\nmarket capitalization of cryptocurrenciesopen on a new tab exceed US$350 billion, cryptocurrencies are true\r\ndigital treasures.\r\nUnfortunately, not all those who want to strike gold with profitable cryptocurrencies do so legally. Cybercriminals\r\nabuse cryptocurrency mining by installing cryptocurrency-mining malware on unsuspecting users’ devices and\r\nusing their processing capabilities without authorization. Doing this allows them to profit effortlessly without\r\nneeding to invest in the necessary cryptocurrency-mining infrastructure.\r\nThere has been a massive increase in cryptocurrency-mining malware in recent years, especially in the ones\r\nmining for Monero. This particular cryptocurrency offers total transactional anonymity and privacy, which makes\r\nit ideal for abuse in illegal activity.  We’ve also seen how cybercriminals are trying to maximize their potential\r\nearnings. They do it by focusing their attention on powerful devices with substantial computing capabilities, then\r\nkilling off other cryptocurrency-mining malware and expanding the platforms and devices they can infect.\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 1 of 7\n\nA closer look at battling cryptocurrency-mining malware\r\nWe have been following and studying the increase of Linux cryptocurrency-mining malware for a few years now.\r\nPreviously, we’ve analyzed KORKERDSnews- cybercrime-and-digital-threats, a Linux malware variant that\r\ncomes bundled with a rootkit that hides malicious processes from an infected system’s monitoring tools. We’ve\r\nalso discussed Skidmap, a Linux malware that can decrease an infected device’s security settings and provide\r\nbackdoor access to malicious actors.\r\nBoth variants are cryptocurrency-mining malware that demonstrate complex techniques to use a victim’s resources\r\nfor financial gain.  Today, we would like to highlight a characteristic that is becoming more prevalent based on the\r\nsamples we’ve seen in our honeypots and the wild — routines that disable and remove other similar malware in\r\ninfected devices, systems, and environments.\r\nBased on the samples we’ve analyzed, one of the first routines of these cryptocurrency-mining malware post-infection involves detecting the existence of other cryptocurrency-mining competitors. If it detects such malware,\r\nit will proceed to kill its competitors’ processes, delete its traces from the system, and ensure that these\r\ncompetitors will not be able to run again. \r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 2 of 7\n\nFigure 1. Screenshots of cryptocurrency-mining malware code that kills off other existing\r\ncryptocurrency-mining malware in an infected system or device\r\nThese cryptocurrency-mining malware samples do not only target Linux host machines that are used as personal\r\ndevices. As more enterprises rely on DevOps to improve operational efficiency, cybercriminals have learned to\r\nlook at the powerful tools enterprises use, such as Docker and Redis.\r\nThe analyzed samples don’t just search for resource-intensive processes on the host machine; they also look for\r\ndeployed Docker containers that are conducting mining operations. This behavior aims to guarantee that the latest\r\ndeployed malware gets to use the host’s computing power.\r\nFigure 2. Code that showcases how the cryptocurrency-mining malware looks for Docker containers\r\nthat have mining processes\r\nCybercriminals have also been expanding their horizons; they have been seen attacking AWS infrastructure\r\nrunning infected Docker and Kubernetes systems with cryptomining malware and stealing AWS credentials.\r\nCryptocurrency-mining malware infection chain in open APIs\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 3 of 7\n\nFigure 3. Cryptocurrency-mining malware infection chain in open APIs\r\nA common trend or technique that malware actors used in the past involved exploiting a vulnerability in a publicly\r\nhosted service to gain code execution privileges. This technique allowed an attacker to create a botnet or install a\r\ncoinminer in the system. A newer technique that entails looking for open APIs, which allow sprawling containers\r\nor gain code execution privileges, is becoming more common. When it comes to cryptocurrency-mining malware,\r\nthere has been a move from on-premise devices to containers and the cloud.\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 4 of 7\n\nThe cryptocurrency-mining malware samples we analyzed revealed how the malware looks for an exposed\r\napplication programming interface (API) in the system or platforms such as Docker and Redis. After discovering a\r\nsecurity weakness in a victim’s machine, the malware will then deploy a shell script, a malicious container, or a\r\nclean container with a malicious shell script as an entry point, whichever is more applicable.\r\nOnce deployed, the script will run an environmental analysis. It will scan for running processes to look for\r\nmalware competitors and security software, and then kill and remove them from the system. \r\nThese routines could include killing all other running cryptocurrency-mining malware or even legitimate\r\napplications that consume resources that they need for mining using the process status (ps), kill, and rm\r\ncommands. \r\nFigure 4. Code showing malicious container payload deployment\r\nThe initial script will also download the necessary payload or payloads, such as cryptocurrency-mining malware\r\nbinaries and other malware variants associated with the attack. The cryptocurrency-mining malware will also\r\ncover up traces of infection in the system by removing the command history and logs.\r\nWe’ve extracted three unique Monero wallets from three samples we’ve analyzed. Based on Monero’s valuation\r\nof US$90, the cryptocurrency-mining malware has earned roughly US$777 as of September 3, 2020.\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 5 of 7\n\nFigure 5. Screenshots of Monero wallets associated with cryptocurrency-mining malware samples\r\nHow to win the war against cryptocurrency-mining malware\r\nThe samples we’ve analyzed demonstrated how cryptocurrency-mining malware are growing in prevalence as\r\nwell as complexity. Almost as effortlessly as it infects devices and environments with its worm-like\r\ncharacteristics, the same is true for its ability to hunt and kill off its competitors, regardless of its malware family.\r\nAs the demand for computing power needed for cryptomining increases, we see how cybercriminals would want\r\nto wipe off their competitors to make the most of their victims’ resources. System administrators should realize the\r\nimportance of thwarting cryptocurrency-mining malware as these can cause significant performance issues,\r\nespecially for Linux systems that cater to critical enterprise functions such as servers, databases, and application\r\ndevelopment frameworks. \r\nTo help keep secure systems, devices, and environments, IT and system administrators must employ security best\r\npracticesnews- cybercrime-and-digital-threats, such as enforcing the principle of least privilege, regularly patching\r\nand updating systems, using multifactor authentication, using verified security extensions, and utilizing access\r\ncontrol policies. Aside from following the security guidelines created by platforms such as Docker and Redis, it’s\r\nalso critical to check API configurations, make sure that requests are coming from a determined host or internal\r\nnetwork, regularly scan hosts for open ports, and limit SSH access.\r\nEnterprises can also benefit from security solutions such as Trend Micro™ Hybrid Cloud Securityproducts, which\r\nprovides powerful, streamlined, and automated securityproducts within the organization’s DevOps\r\npipelineproducts and delivers multiple XGenproducts™products threat defense techniques for protecting runtime\r\nphysical, virtual, and cloud workloads. It is powered by the Cloud One™ platform, which provides organizations\r\nwith a single-pane-of-glass look at their hybrid cloud environments and real-time security through Network\r\nSecurityproducts, Workload Securityproducts, Container Securityproducts, Application Securityproducts, File\r\nStorage Securityproducts, and Conformityproducts services.\r\nFor organizations looking for runtime workload, container image, and file and object storage security as software,\r\nthe Deep Securityproducts™, Deep Security Smart Checkproducts scans workloads and container images for\r\nmalware and vulnerabilities at any interval in the development pipeline to prevent threats before they are\r\ndeployed.\r\nIndicators of Compromise\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 6 of 7\n\nSHA-256 Detection\r\n3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f Trojan.SH.HADGLIDER.TSE\r\n616c3d5b2e1c14f53f8a6cceafe723a91ad9f61b65dd22b247788329a41bc20e Trojan.SH.HADGLIDER.TSE\r\n0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d Trojan.SH.HADGLIDER.TSE\r\n705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0 Trojan.SH.HADGLIDER.TSE\r\n1861eee8333dadcfe0d0dc10461f5f82fada8e42db9aa9efba6f258182e9c546 Trojan.SH.MALXMR.UWEKK\r\nb6e369f0eb241ffb1b63c8c5b2b8a9131a9b98125ca869165f899026ab2c64ba Trojan.SH.HADGLIDER.TSF\r\nb5f6d6114e1ce863675df1bf2e4bfaeac243e22bb399e64b9a96c6d975330b28 Trojan.SH.MALXMR.UWEKK\r\n36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce Trojan.SH.MALXMR.UWEKK\r\n1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b Trojan.SH.MALXMR.UWEKK\r\nbea4008c0f7df9941121ddedc387429b2f26a718f46d589608b993c33f69b828 Trojan.SH.MALXMR.UWEKK\r\n2f514b01cc41d9c2185264e71bd5e5b1f27a7deb6d0074bd454d26390131ef04 Trojan.SH.MALXMR.UWEKK\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nhttps://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html"
	],
	"report_names": [
		"war-of-linux-cryptocurrency-miners-a-battle-for-resources.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446536,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd45e0c692114c4896cbc2719ef3523ead91e278.pdf",
		"text": "https://archive.orkl.eu/bd45e0c692114c4896cbc2719ef3523ead91e278.txt",
		"img": "https://archive.orkl.eu/bd45e0c692114c4896cbc2719ef3523ead91e278.jpg"
	}
}