The threat, which borrows code from previously seen malware, such as Xbash and KORKERDS, installs crypto-currency mining code onto the victim machine, and achieves persistence through implanting itself into the system and crontabs.
As part of the attack, an initial script is served to the intended target to delete a number of known Linux malware, coin miners, and connections to other miner services and ports, and then download the mining binary.
The script is similar to code of the KORKERDS miner observed in November 2018, but it doesn’t target security products present on the system.
