Nicknamed Linux.Lady the malware uses unsecure Redis database servers to spread from system to system.
The malware was spotted by Russia-based antivirus maker Dr.Web and is one of the few weaponised Go-based malware families. In other worlds it is written in Google’s Go programming language and mostly relies on open source Go libraries hosted on GitHub.
The trojan infects systems by connecting to misconfigured Redis database servers for which administrators have forgotten to set a password. Apparenlty there are 30,000 Redis servers available online without a password.
A smaller trojan called Linux.DownLoader.196, infects the computer and downloads the main payload after securing a foothold on the infected machine and letting in Linux.Lady.
Linux.Lady collects information about the infected system and sends it to a C&C server. It collects data like the computer’s current Linux version, the Linux OS family name, the number of CPUs, the number of running processes, and their names.
Linux.Lady she mines for the Monero digital currency . Once the C&C server is informed of the creation of a new bot, it sends over a configuration file, which Linux.Lady uses to start a cryptocurrency mining programme that generates digital currency for the hacker’s account.