Linux machine users beware! There is a new Trojan in town that can turn your devices into cryptocurrency mining rigs without your knowledge.
Discovered by the Russian cyber security firm Dr. Web, Linux.Lady (Linux.lady.1) is a Trojan built to target machines running on Linux operating system. The malicious software written in Go programming language is found to specifically affect servers running Redis NoSQL database. Once infected, Linux.Lady collects and transfers the information about the system to a command and control server. It is then found to download and execute a cryptocurrency mining software utility, turning the servers into cryptocurrency mining devices.
According to reports, there are currently over 30,000 Redis servers which are vulnerable to Linux.Lady. The program built using open source Go libraries freely available on GitHub is supported by another Trojan called Linux.Downloader.196.
Linux.Downloader.196 is responsible for downloading the main payload after the infection. Dr. Web’s analysis has shown Linux.Lady to send the following information to its command and control server over SSH.
- Trojan’s version
- Number of CPUs on the machine
- Host’s name
- Number of running processes
- Name of the operating system
- Family of the operating system
- Host’s uptime
Linux.Lady makes itself at home by detecting the infected computer’s external IP. Once the IP is detected, it calculates the mask of the subnet External_ip\8 and connects to remote hosts using port 6379 which is commonly used by Redis.
The digital currency mined over infected systems by the Linux.Lady is occasionally sent to its “master’s” wallet. Redis has been known for security vulnerabilities and Linux.Lady exploits these vulnerabilities to infect other systems on the network as well.The security firm has advised network administrators to implement additional security mechanisms to prevent infection. Mining Bitcoin on computers in the current scenario is virtually impossible, but mining other altcoins is fairly easy and more economical. Information on the total amount of digital currency mined so far by infected systems is not yet available.