New Linux malware merges Mirai botnet with fileless cryptominer

The Cyber Express reports that new Linux malware has been identified, combining the disruptive capabilities of the Mirai botnet with a stealthy, fileless cryptominer, creating a dual-purpose threat for network disruption and illicit profit.

Researchers have detailed a sophisticated campaign employing advanced techniques like raw-socket scanning, masqueraded processes and dynamic DNS resolution to evade detection. The malware uses a multi-stage infection chain, starting with a downloader for Mirai binaries across various architectures. A key characteristic is its use of raw TCP sockets for high-velocity SSH scanning. Simultaneously, a fileless Monero cryptominer, XMRig, is deployed. This miner dynamically obtains its configuration—including wallet addresses and mining pools—directly from the command and control server, leaving no on-disk artifacts and hindering forensic analysis. This hybrid monetization strategy aims to maximize returns by leveraging compromised devices for both botnet attacks and cryptocurrency mining.

Linux server operators, cloud workloads, and exposed IoT devices are particularly at risk. Continuous monitoring and hardening of systems are crucial to mitigate the evolving threat landscape posed by such sophisticated and financially motivated malware campaigns.

Source: The Cyber Express