Analysts specializing in the Japanese cyber security company Trend Micro discovered the cryptocurrency miner KORKERDS, which is characterized by some unusual behavior. This was reported on the website of the company.

Researchers have not yet fully figured out how it spreads the threat. However, most likely, load it happening after installing certain software or through a compromised plugin.

Extract cryptocurrency Monero (XMR) to the miner, the researchers assigned the ID Coinminer.Linux.KORKERDS.AB. It is noteworthy that also used another component — rootkit (Rootkit.Linux.KORKERDS.AA), which “hides” the mining process from the tools for monitoring.

After the start of the hidden miner in the system the CPU usage increases to 100%. However, the user is difficult to determine the cause of this. Complicating the situation is a rootkit that uses the hooks for the API readdir and readdir64, and libc. Normal library file is overwritten, while readdir is replaced by the fake version.

A modified version of readdir is used to hide the process of mining (kworkerds). Then identify the miner becomes much more difficult, despite the fact that the CPU usage indicates suspicious activity.

According to the researchers, the new miner may be a threat not only for servers but for regular Linux users.

We will remind, in June, analysts at Palo Alto Networks reported that 5% of coins mined Monero using a hidden mining.