Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

description: While conducting a routine log check, we noticed an interesting script from one of our honeypots downloading a binary connected to a domain. Upon further analysis, we found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS. It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.

publish date:

reference :

IOC Table
total 10
type value
domain drnfbu.xyz
domain yxarsh.shop
FileHash-SHA256 2f7ff54b631dd0af3a3d44f9f916dbde5b30cdbd2ad2a5a049bc8f2d38ae2ab6
FileHash-SHA256 d9390bbbc6e399a388ac6ed601db4406eeb708f3893a40f88346ee002398955c
URL http://drnfbu.xyz:26750
URL http://yxarsh.shop
URL http://yxarsh.shop/0
URL http://yxarsh.shop/1.jpg
URL http://yxarsh.shop/64
URL http://yxarsh.shop/86