Found this story on exploit.in (a Russian site)
The Doctor Web specialists have discovered a trojan designed for the extraction of cryptocurrency, which can infect other network devices and remove antiviruses running in the system. The threat received the identifier Linux.BtcMine.174 and is a large script written in the command shell language containing more than 1000 lines of code.
Malware consists of several components. So, when launching, the trojan checks the availability of the server from which it subsequently downloads other modules, and searches for a folder on the disk with write permissions into which these modules will then be loaded. After this, the script is moved to a previously selected folder named diskmanagerd and re-launched as a daemon. For this, the trojan uses the nohup utility. If it is not in the system, it automatically downloads and installs the coreutils utilities package, including nohup.
If the installation is successful on the device, the malicious script downloads one of the versions of the Linux.BackDoor.Gates.9 Trojan. The backdoors of this family allow you to execute commands from attackers and carry out DDoS attacks.
After installation, malware looks for competing miners in the system and, upon detection, completes their processes. If the trojan was not launched on behalf of the superuser (root), it uses a set of exploits to escalate its privileges on the infected system. Analysts of Doctor Web have identified at least two problems exploited by him: these are CVE-2016-5195 (aka DirtyCow ) and CVE-2013-2094 . At the same time, the sources of the exploit for DirtyCow are downloaded from the Internet by the Trojan compiles directly on the infected machine.
After this, the malware tries to find antivirus services running under the names safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets and xmirrord. If they are detected, the malware does not just end the antivirus process, but with the help of package managers, deletes its files and the directory in which the anti-virus product was installed.
Then the trojan registers itself at startup, downloads and launches a rootkit on an infected device. This module is also designed as a sh script and is based on source code that was previously published in the public domain. Among the functions of the rootkit module, you can highlight the theft of user-supplied passwords for the su command, hiding files in the file system, network connections and running processes. The trojan collects information about network nodes that were previously connected via the ssh protocol and tries to infect them.
After completing all these steps, the Trojan finally launches the miner, designed for the production of Monero cryptocurrency (XMR), in the system. At intervals of one minute, the malware checks to see if this miner is running, and automatically restarts it if necessary. It also connects to the managing server in a continuous loop and downloads updates from there, if they are available.
Source of the above story…