Comprehensive Guide to Self-Cleaning Mining Trojans

This article is written by Tencent security experts and serves as a “Self-Cleaning Guide for Mining Trojans” to assist security operation and maintenance personnel of government and enterprise clients in self-diagnosing and removing mining Trojans.

A mining Trojan occupies the CPU for overclocking calculations, thus consuming a large amount of CPU resources on the host, severely affecting the normal operation of other applications on the server. Hackers typically perform indiscriminate scanning across the network to obtain more computing power, often utilizing SSH brute force and exploiting vulnerabilities to attack the host.

Some mining Trojans also exhibit worm-like characteristics. Once the host is successfully compromised, the mining Trojan can penetrate the internal network and persist on the compromised server to maximize profits. The overall attack process of a mining Trojan is roughly illustrated in the following diagram:

A mining Trojan utilizes the host’s computing power for mining without the user’s knowledge. The most obvious characteristic is the significant CPU consumption on the host. There are two methods to check the CPU usage of a cloud host:

As shown in the figure below, by executing the top command, you can see the CPU usage of the system in the returned results.

top -c

If the CPU usage of the cloud host remains high, it is very likely that the host has been implanted with a mining Trojan, which will affect the normal operation of other applications on the server, requiring immediate investigation.

Some mining Trojans with worm functionalities, after gaining control of the host, will continue to penetrate other public hosts or use the current host as a jump box to horizontally infiltrate other hosts within the same local area network. Therefore, upon discovering that the host has been implanted with a mining Trojan, it is essential to isolate the infected host promptly without affecting normal business operations, and then proceed with further analysis and cleaning.

Tencent Cloud hosts can isolate hosts by setting security groups. Please refer to the following link for details:https://cloud.tencent.com/document/product/215/20089

Mining Trojans not only connect to mining pools but may also connect to the hacker’s C2 server to receive and execute C2 commands or deliver other malicious Trojans, so timely network blocking is necessary.

(1) Check if there are any suspicious addresses and ports outside the business scope in the currently effective iptables rules of the host’s firewall; they may be the mining pool or C2 addresses of the mining Trojan.

iptables -L -n

(2) Remove suspicious addresses and ports from the iptables rules.

vi /etc/sysconfig/iptables

(3) Block the network communications of the mining Trojan.

iptables -A INPUT -s suspicious_address -j DROPiptables -A OUTPUT -d suspicious_address -j DROP

Most mining Trojans achieve persistence by writing scheduled tasks in the infected host. Simply clearing the mining process will not eradicate it; at the preset time, the system will download and execute the mining Trojan from the hacker’s C2 server through the scheduled task.

Common scheduled tasks for mining Trojans typically involve downloading and executing sh scripts, as shown in the figure below:

You can execute the following commands to check for suspicious scheduled tasks. If any exist, save the relevant records for subsequent analysis before deleting:

View the scheduled tasks of the current user:

crontab -l

View the scheduled tasks of a specific system user:

crontab -u username -l

View other scheduled task files:

cat /etc/crontabcat /var/spool/croncat /etc/anacrontabcat /etc/cron.d/cat /etc/cron.daily/cat /etc/cron.hourly/cat /etc/cron.weekly/cat /etc/cron.monthly/cat /var/spool/cron/

In addition to scheduled tasks, mining Trojans can also achieve persistence by adding startup items. You can use the following commands to check for any abnormal startup services in the boot startup items.

Versions below CentOS7:

chkconfig –list

CentOS7 and above:

systemctl list-unit-files

If any malicious startup items are found, you can disable them using the following commands:

Versions below CentOS7:

chkconfig service_name off

CentOS7 and above:

systemctl disable service_name

Additionally, you should carefully inspect the following directories and files to promptly delete suspicious startup items:

/usr/lib/systemd/system/usr/lib/systemd/system/multi-user.target.wants/etc/rc.local/etc/inittab/etc/rc0.d//etc/rc1.d//etc/rc2.d//etc/rc3.d//etc/rc4.d//etc/rc5.d//etc/rc6.d//etc/rc.d/

When inspecting, you can sort by file modification time, focusing on recently created service items. As shown in the figure, a service named bot.service was recently created on the system, which starts the /etc/kinsing Trojan file at system startup; you need to stop the bot service and delete the /etc/kinsing file.

By configuring /etc/ld.so.preload, you can customize the dynamic link libraries that are prioritized for loading before program execution. Some Trojans modify this file to add malicious SO files, thus achieving the hiding of mining processes and other malicious functions. Check /etc/ld.so.preload (which is empty by default) and clear any abnormal dynamic link libraries. You can execute `> /etc/ld.so.preload` to clear it.

Mining Trojans often write the hacker’s SSH public key into the ~/.ssh/authorized_keys file, allowing the hacker to log in to the host without a password even if the mining Trojan has been completely removed. Inspect the ~/.ssh/authorized_keys file, and if you find any suspicious SSH public keys, delete them directly.

(1) Clearing Mining Processes The most significant feature of mining Trojans is that they utilize the host’s computing power for mining without the user’s knowledge, consuming a large amount of CPU resources. Therefore, by executing the following command, you can check for processes occupying a large amount of CPU resources in the system.

top -cps -ef

After confirming that the relevant process is a mining process, follow these steps to remove it: obtain and record the file path of the mining process:

ls -l /proc/$PID/exe

Kill the mining process:

kill -9 $PID

Delete the file corresponding to the mining process

(2) Clearing Other Related Malicious Processes Malicious processes often listen on ports when communicating with external C2 servers. Execute the following command to check if there are any unauthorized ports being listened to on the server.

netstat -antp

If there are unauthorized processes, follow these steps to remove them: obtain and record the file path of the unauthorized process:

ls -l /proc/$PID/exe

Kill the unauthorized process:

kill -9 $PID

Delete the file corresponding to the unauthorized process

You can also check for recently added files using the following commands to remove related Trojans:

find /etc -ctime -2 (specifying the directory as /etc to get newly added files in the last 2 days) lsof -c kinsing (checking the process information for files named kinsing)

Conduct a risk assessment and security hardening of the system to prevent mining Trojans from resurfacing. For details, please refer to the following link:https://cloud.tencent.com/document/product/296/9604

Many users report that mining Trojans are difficult to clean thoroughly. They may have killed the process and deleted the Trojan file, yet the CPU usage rises again shortly after. The root cause is often insufficient cleaning. Most users only kill the mining process and corresponding files but do not clear scheduled tasks and daemon processes.

It is generally recommended to first clear scheduled tasks, startup items, and daemon processes before clearing the mining process and other malicious processes.

As shown in the figure, the unknown process kinsing is listening on local port 31458, which is very suspicious. You can determine it by:(1) Execute `ls -al /proc/$PID/exe` to confirm the file corresponding to the suspicious process; (2) If the file has not been deleted, upload it to Virustotal for detection, or calculate the corresponding md5 of the file and use md5 to query in Virustotal; if the file has been deleted, execute `cat /proc/$PID/exe > /tmp/t.bin` to dump the process to a specific directory, then upload the file to Virustotal or calculate the md5 of the dump file to query in Virustotal. If multiple antivirus engines detect it simultaneously, it can generally be determined that the process is malicious.

Virustotal address:https://www.virustotal.com/gui/s

As shown in the figure, the system CPU usage is close to 100%, yet it is not visible which process is causing it. This situation usually occurs because system commands have been tampered with by the Trojan, hiding the traces of the Trojan process and preventing users from conducting source analysis.

There are various methods of command tampering, as follows: (1) The top source file has been tampered with, filtering out malicious process information before returning.

By executing the following command, you can restore it:

rm -rf /usr/bin/top && mv /usr/bin/top.original /usr/bin/top

【Related Articles】

https://blog.csdn.net/chenmozhe22/article/details/112578057

(2) Tampering with preloaded SO files, commands like ls, top, ps have been hijacked by the Trojan’s dynamic link library, making it impossible to obtain information related to the Trojan process.

By executing the following command, you can restore it:

> /etc/ld.so.preload && rm -rf malicious_so_file_path

【Related Articles】

https://cloud.tencent.com/developer/article/1744547

Various unknown methods may tamper with system commands.

You can try the following two solutions: i. Copy the command source file from another system of the same version to the current system for overwriting; you can use the uname -a command to check the current system version;

ii. Or install busybox to inspect the system.

Busybox is software that integrates over 300 commonly used Linux commands and tools, allowing you to use busybox to replace system commands for system inspection;

yum -y install wget make gcc perl glibc-static ncurses-devel libgcrypt-develwget http://busybox.net/downloads/busybox-1.33.0.tar.bz2tar -jxvf busybox-1.33.0.tar.bz2cd busybox-1.33.0 && make && make install

【Related Articles】

https://www.cnblogs.com/angryprogrammer/p/13456681.html

If there are any infringements, please contact the public account for deletion.