Skidmap Malware Fakes Network Traffic and CPU Information to Conceal a Monero Miner

Although some Linux users still want to believe that their operating systems cannot be affected by malware, the reality is that Trojans, worms, and viruses can affect them too. Skidmap is one of the threats that all Linux users need to know about because once it slithers in, it can drop a miner capable of exploiting CPU resources to mine cryptocurrency. The infection is extremely clandestine, and it uses pretty innovative techniques to conceal itself and all malicious activity. This stealthy infection proves that Linux systems are not invincible when it comes to cyber attacks. That, of course, does not mean that you cannot protect your system against attackers. Hopefully, you still have time to take appropriate security measures, which we discuss in this report, but if you need to remove Skidmap already, note that postponing the elimination would be a mistake.

According to the malware researchers at Trend Micro, Skidmap seeks out vulnerable Linux systems to infect. Up-to-date and reliably guarded systems cannot be taken over by this malware, but there are plenty of systems with unpatched vulnerabilities, and these are the systems that could be invaded seamlessly. Cybercriminals initiate the attack by installing a launcher to an authentic Linux process called crontab, which is responsible for scheduling commands on the operating system. The installer silently downloads Skidmap, and the full attack begins. The threat uses the /usr/sbin/setenforce file to execute a command that configures the SELinux module so that the control policies of the system are not enforced. Using the /etc/selinux/config file, the infection writes two new commands. One of them disables the SELinux policy, while the other one ensures that selected processes run in confined domains.

Besides messing with the system’s controls, Skidmap also adds a public key to the authorized_keys file to ensure that attackers can access the infected computer at any point. Access to the computer can also be gained via Backdoor.Linux.PAMDOR.A, which replaces the authentic pam_unix.so file. Once the infection is established, it can use multiple malicious components to conceal itself. One component is called iproute and it hides files using getdents. The kaudited component is installed as /usr/bin/kaudited, and it installs loadable kernel modules as rootkits. It also monitors the cryptocurrency miner file. The netlink component is a rootkit that falsifies CPU and network traffic statistics to make it seem as if everything is normal. In the meantime, however, a clandestine miner exhausts the CPU to mine Monero cryptocurrency. This miner, according to researchers, is a modified version of a well-known open-source cryptocurrency mining program called XMRig.

How the clandestine miner is introduced by Skidmap depends on the system’s operating system. If it is Debian-based, the miner’s payload is dropped to /tmp/miner, and if it is CentOS/RHEL-based, a TAR file is downloaded from the web. This file is unpacked, and the miner is installed. The miner computes mathematical problems to verify transactions and add them to a blockchain. In return for this service, the miner earns cryptocurrency. Basically, the attackers behind Skidmap exploit the infected machine’s CPU resources to make money for themselves. The victims gain nothing out of it. Instead, their systems can become sluggish or even crash due to exertion. This is one of the reasons to delete the malicious infection immediately. Of course, it is not the only one. After all, using the infection, cybercriminals can access your machine using backdoors.

It is crucial to delete Skidmap not just so that your system’s CPU resources would not be exploited for the gain of cybercriminals but so that all backdoors would be closed and that your system’s security could be restored. Because the threat uses rootkits and other components to conceal itself, deleting it manually can be challenging. This is when you should think about implementing trusted anti-malware software that could help you get your machine cleaned. Once the system is cleaned, it is crucial that you rethink your virtual security in general. When was the last time you updated the operating system and patched vulnerabilities? If you do not take care of this, cybercriminals could exploit existing vulnerabilities to attack you again and again and again.

References

Remillano II, A., Urbanec, J. September 16, 2019. Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Trend Micro.
Stroud, F. cryptocurrency mining. Webopedia.