Linux Cryptominer Trojan Hiding Within an Image File

March 16, 2018


Because of the cryptocurrency market's significant growth in the past couple of years, everyone wants a piece of that pie. Ransomare is still the most popular way for cybercriminals to generate that cryptocurrency income, but these days it seems that everything from personal computers to mobile devices and servers are all being targeted as possible hosts for secretly mining cryptocurrency. This week the SonicWall Capture Labs Threat Research Team has received reports of a malware purporting to be an image file but drops a cryptominer for Linux.

Infection cycle:

At first look, this file appears to be harmless. It displays this image when executed:

And also has a standard header for a PNG file:

Upon more thorough inspection, towards the end of that PNG format we find a standard file format for an executable file - ELF.

Extracting this executable file we find that it is a XMRig Monero cryptocurrency miner.

Its main function is to mine Monero from using this address as shown below.

This type of attack is so prevalent that we have seen a steady increase in detection with this specific Gateway Antivirus signature in the past 40 days.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: CoinMiner.AEO (Trojan)