Inside Linux.BtcMine.174: How Dr.Web’s New Malware Hijacks Linux Systems

Russian antivirus vendor Dr.Web has disclosed a new Linux‑based trojan named Linux.BtcMine.174 . Unlike typical Linux viruses, this malware consists of a shell script exceeding 1,000 lines and serves as the initial executable on compromised systems.

After gaining a foothold, the script searches the filesystem for directories with write permissions, replicates itself, and downloads additional modules. It then escalates privileges by exploiting either CVE‑2016‑5195 (Dirty COW) or CVE‑2013‑2094, after which it installs itself as a local daemon with root rights.

The trojan actively terminates a range of Linux antivirus processes, including safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord.

Once the environment is prepared, the primary payload launches cryptocurrency mining operations. Additionally, the malware downloads and executes other malicious components, gathers information about all remote servers accessed via SSH, and attempts to propagate to those hosts.

Dr.Web has published the SHA‑1 hashes of the trojan’s components on GitHub for verification:

https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174

Further technical details and analysis are available in Dr.Web’s official report:

https://vms.drweb.com/virus/?i=17645163