Cybersecurity research firm TrendMicro has come across a new Linux malware. The malware — Skidmap — is capable of illicit cryptocurrency mining activities.
Skidmap is the new Linux malware in town
As per the research, the new Linux malware mines crypto by creating malicious loadable kernel modules (LKM) to stay under the wraps. As the malware utilizes Linux kernel module rootkits, it becomes difficult to detect and patch it. This is because of its overwriting and modification of kernel parts capabilities.
Apart from cryptocurrency mining, the new Linux malware can grant the attackers backdoor access to the affected system by creating a secret master password for unauthorized access on the part of anyone.
How does Skidmap malware work?
Skidmap Linux malware enters the system via crontab (commands to regularly schedule jobs in Unix-like computer OS). Once it gets through the victim system, it installs malicious binaries (“pc”), which eventually lowers down the security settings of the device to conduct the crypto mining.
However, there is no word on which cryptocurrency the malware mines.
To inject a system with a cryptocurrency miner, the malware figures out the system’s OS — if it is based on Debian or RHEL/CentOS.
For a Debian-based system, it infects the system by saving the crypto miner payload to “/tmp/miner2”. An RHEL/CentOS-based system gets its crypto miner payload and other components in the form of a tar file from the URL “hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz.”
In addition to this, the Linux malware devises another method of unauthorized access to the infected system.
This is done by replacing the system’s “pam_unix.so file” (the file is meant for conventional Unix authentication) with its malicious variant, identified as “Backdoor.Linux.PAMDOR.A.”
With the help of the process above, attackers can access the system as any user.
Skidmap’s other malicious components
Additionally, the report suggests that Skidmap has various parts to further the Linux malware’s malicious intents.
These components include a fake “rm” binary, a kaudited binary to install several LKMs, an Iproute module, and a Netlink rootkit used to fake network stats.
You can read the full research report for a better understanding of Skidmap’s components.
Methods to stay off Linux malware
As the cryptocurrency-mining threat is more than prevalent and leads to higher expenses and disruption of business, users should follow certain precautions to remain safe.
Users should keep their servers and systems patched and updated and should be cautious of third-party repositories.