MalwareLabJul 27, 2025

Analysis of #Koske #miner.

It is an AI-generated #Linux #malware which was hidden in images with pandas. It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, #rootkit #hideproc, tries to hide the Koske miner from file listings and processes.

https://malwarelab.eu/posts/koske-panda-ai/

Video from #anyrun analysis:

https://www.youtube.com/watch?v=1OSPp996XQ4

#koskeminer #coinminer #blueteam #cybersecurity #dfir #malwareanalysis #infosec #reverseengineering

OTX BotSep 20, 2024

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then install Supershell directly or via a downloader script. The malware is downloaded from web and FTP servers. While Supershell is the initial payload for control hijacking, XMRig Monero CoinMiners are often installed alongside it, suggesting cryptocurrency mining as the ultimate goal. To protect against such attacks, administrators should use strong passwords, update systems regularly, and implement security measures like firewalls.

Pulse ID: 66ed5aecd1c4b20f7441ddef
Pulse Link: https://otx.alienvault.com/pulse/66ed5aecd1c4b20f7441ddef
Pulse Author: AlienVault
Created: 2024-09-20 11:22:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CoinMiner #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #SSH #Word #bot #cryptocurrency #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Tarnkappe.infoJun 3, 2024
📬 PS4-Emulator installiert CoinMiner XMRig
#Malware #AhnLabSecurity #ASEC #CoinMiner #Playstation #PS4Emulator #XMRig https://sc.tarnkappe.info/2aa3fe
PS4-Emulator installiert CoinMiner XMRig

Achtung! Bei diesem vermeintlichen PS4-Emulator handelt es sich um einen ziemlich gefährlichen und gut versteckten CoinMiner.

Tarnkappe.info
Linux MagazineDec 29, 2023
Report from #AhnLab indicates a new cryptocurrency miner is attacking Linux servers https://www.linux-magazine.com/Online/News/Linux-Machines-with-Poorly-Secured-SSH-Servers-are-Under-Attack #Linux #security #crypto #SSH #server #malware #DDOSbot #CoinMiner #ASEC
Linux Machines with Poorly Secured SSH Servers... » Linux Magazine

A new cryptocurrency miner is attacking Linux servers to co-opt them into a cryptocurrency mining network as well as spreading distributed denial-o...

Linux Magazine
Andrew 🌻 Brandt 🐇Sep 18, 2023

#Typosquat alert: Someone set up a #fake site that mimics Sophos branding on Sopbos[.]com and that site delivers a #malware #coinminer installer called SophosInstaller.exe

If you work on a team with a #domain #reputation service or feature, please mark that domain as #malicious.

Let's all work to render this kind of garbage, and their domain registration, utterly useless. #FAFO

Show threadSophos X-OpsApr 27, 2023

Some of the final payloads overlap with previously-reported threats, such as #Truebot (#downloader, often linked to Cl0p #ransomware), #Buhti (ransomware), #MoneroOcean (a #coinminer, discussed here: https://news.sophos.com/en-us/2021/12/02/two-flavors-of-tor2mine-miner-dig-deep-into-networks-with-powershell-vbscript/), and #Mirai (a #botnet #worm).

One such example of a #miner, shown in the screenshot below, details the commands to terminate the processes and services used by other, competing malicious miners before launching their own #Monero (#XMR) mining software. This cynical form of 'capture the flag' is commonplace behavior among the threat actor groups who deploy and maintain hostile miners.

5/6

Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript

Using remote scripts and code, one variant can even execute filelessly until it gains administrative credentials.

Sophos News
Chris WalkerFeb 28, 2023

Analysis of a multi platform coin miner & generic RAT. Has persistence via crontab & systemctl, can execute shell commands & DOS certain protocols.

#SysmonforLinux #RAT #CoinMiner

1/

Show threadChris WalkerFeb 13, 2023
As I forgot - #SysmonforLinux #LinuxMalware #Coinminer
Félix BrezoJan 5, 2023

I've come across this interesting article by AhnLab about how SHC is being used to deploy malicious payloads on GNU/Linux systems: "Shc Linux Malware Installing CoinMiner".

https://asec.ahnlab.com/en/45182/

A nice reason to spend some time on this as follows in this thread.

#ThreatIntelligence #Mitre #T1496 #GNU #Linux #Coinminer

Shc Linux Malware Installing CoinMiner - ASEC BLOG

AhnLab Security Emergency response Center

ASEC BLOG
securityaffairsJan 4, 2023
New shc #Linux #Malware used to deploy #CoinMiner
https://securityaffairs.com/140308/cyber-crime/shc-linux-malware-coinminer.html
#securityaffairs #hacking
New shc Linux Malware used to deploy CoinMiner

Researchers discovered a new Linux malware developed with the shell script compiler (shc) that was used to deliver a cryptocurrency miner. The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner. The experts believe attackers initially compromised targeted devices through a […]

Security Affairs