Kerberods is responsible for dropping the cryptocurrency miner (khugepageds, detected as Coinminer.Linux.MALXMR.UWEJI) and its rootkit component. As mentioned earlier, this attack shares many of the same characteristics of last year’s incident, such as the use of pastebin as a C&C server, the miner payload, and its use of a rootkit to hide the malware. Unlike the older rootkit that only hooks the readdir function to hide the mining process, this new version hooks more functions. Most of the hooked functions would return a “No such file or directory error” if their parameter contains the file name of the rootkit, the miner, or ld.so.preload. Note how the version with the rootkit loaded hides the CPU usage and the mining process. The rootkit also serves as a form of persistence by hooking the access function so that a cron job is created to reinstall the malware whenever it is called.