Skidmap is a new cryptomining malware (cryptominer) that uses loadable kernel modules (LKMs) to sneak into Linux systems. The malware is capable of hiding its malicious activities by displaying fake network traffic stats.
According to Trend Micro researchers, who stumbled upon Skidmap, the malware exhibits the increasing complexity of recent cryptocurrency-mining threats. What makes Skidmap stand out is the way it loads malicious LKMs to conceal its crypto mining operations. The LKMs overwrite or modify parts of the kernel, which makes the malware difficult to clean. On top of that, Skidmap also utilizes several infection mechanisms and is also capable of re-infecting hosts that have been cleaned up.
Skidmap Cryptocurrency Miner: Some Technical Details
In terms of installation, these are the steps the malware follows:
1. The malware installs itself via crontab (list of commands that are run on a regular schedule) on targeted systems;
2. The installation script pm.sh downloads the main binary “pc” (detected by Trend Micro as Trojan.Linux.SKIDMAP.UWEJX).
Once the binary is executed, the system’s security settings significantly decrease. Furthermore, the Skidmap malware also ensures a way to gain backdoor access to the targeted machine by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication, Trend Micro reported.
Skidmap also replaces the pam_unix.so module, which is responsible for standard Unix authentication, with a malicious version that accepts a specific password for any users. This way the malware enables threat actors to log in as any user in the machine.
The binary is also designed to drop the miner part in accordance with the distribution present on the infected system – Debian Linux, CentOS,or Red Hat Enterprise Linux.
In addition to the cryptocurrency miner, Skidmap also drops the following components:
- A fake “rm” binary — One of the components contained in the tar file is a fake “rm” binary that will replace the original (rm is normally used as command for deleting files). The malicious routine of this file sets up a malicious cron job that would download and execute a file. This routine won’t always be observed, however, as it would only be performed randomly.
- kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops a watchdog component that will monitor the cryptocurrency miner file and process.
- iproute — This module hooks the system call, getdents (normally used to read the contents of a directory) in order to hide specific files.
- netlink — This rootkit fakes the network traffic statistics (specifically traffic involving certain IP addresses and ports) and CPU-related statistics (hide the “pamdicks” process and CPU load). This would make the CPU load of the infected machine always appear low. This is likely to make it appear as if nothing is amiss to the user (as high CPU usage is a red flag of cryptocurrency-mining malware).
In conclusion, Skidmap is a fairly advanced cryptocurrency malware that contains components to help it remain undetected. Its appearance shows that miners may not be as prevalent but still pose great risks to users.