A new cryptocurrency-mining malware has surfaced
By Bob Garcia
Sonatype has identified a new malware that can trick computers into mining for crypto
Reportedly, “okhsa,” “klow,” and “klown” are the malicious packages that could be detected in this new cryptocurrency-mining malware. Specialists indicated that okhsa comes in different versions, which largely contain a skeleton code that starts the Calculator application in the pre-installation of Windows machines. But in addition, the npm package klow or klown are also included in those versions as a dependency, which is malicious. It is said that the same author was responsible for publishing all these packages, and the account has since been deactivated.
“Packages ‘klow’ and ‘klown’ contain a cryptocurrency miner. These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script depending on whether the user is running Windows or a Unix-based operating system,” explained Ali ElShakankiry, the Sonatype security researcher who was in charge of analyzing the packages. “These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize.”