Skidmap

Cryptojacking campaigns have been one of the leading trends in the world of cybercrime and, as expected, the cybercriminals are beginning to introduce more advanced crypto mining malware that can evade sandboxes, persist after removal, and even disguise its presence on the victim’s machine. One other notable thing about a crypto-mining malware is that it is not only targeted to Windows computers certainly – many of the malware families go for Linux-based systems, and this is the case with Skidmap.

Cryptocurrency Mining Malware Continues to Evolve

Skidmap is a newly discovered malware family whose primary purpose is to deploy a pre-configured cryptocurrency miner malware that generates Monero coins for the attackers. While this is the typical thing you would expect to see from a cryptojacking project, there is a lot more packed in Skidmap’s code. This particular malware strain is able to make use of ‘Loadable Kernel Modules’ to manipulate the configuration and behavior of Linux-based systems, therefore ensuring that the miner malware will continue to operate for as long as possible. In addition to this, Skidmap also may provide attackers with backdoor access by applying several changes to core Linux modules. While the Skidmap malware is used for cryptomining currently, its other modules are a certain sign that its authors could carry out much more threatening operations if they wished to.

Since many of Skidmap’s modules require root access to work, it is likely that the attackers are making use of unpatched vulnerabilities, poorly secured systems, and other high-level infection vectors to ensure that their malware will be run with administrative privileges. Upon launch, the Skidmap will apply several changes whose purpose is to disable the SELinux (Security-Enhanced Linux) module, as well as to set a master password for all user accounts by replacing the ‘pam_unix.so’ file with a corrupted one crafted by the cybercriminals. As a backup measure, the Skidmap malware will also add a key to the ‘authorized_keys’ file that would enable the attackers to use SSH to connect to the compromised host.

Skidmap Employs Advanced Techniques to Gain Persistence and Stealth

After completing this task, the Skidmap will begin deploying its modules, as well as the miner malware responsible for the Monero mining operation. The latter may be placed in a different directory, determine by the type of Linux distribution the victim is using. Other modules that Skidmap loads are:

• It replaces the ‘rm’ module with a bogus one that is programmed to download and launch a file at random time intervals.
• The LKM modules that serve as a rootkit and can allow the Skidmap malware to persist even it is removed.
• A module that can hide the files used by Skidmap and the cryptocurrency miner it drops.
• A module that falsifies the network and CPU usage reports that Linux delivers. This may leave PC users with the impression that their CPUs are not being used heavily, despite the fact that the miner malware will be using most of its resources.

Cryptojacking malware is being loaded with more and more features, and the Skidmap strain is one of the most advanced projects that malware researchers have had to deal with certainly. Protecting your systems from Skidmap requires the use of properly configured security features, a reputable anti-virus engine, the use of strong passwords and up-to-date software.