SkidMap is a highly advanced variant of malware that targets vulnerable Redis services on various Linux distributions  . It was first discovered in September 2019 and is known for its ability to adapt to the system it infects. This malware operates as a cryptocurrency mining botnet and has the capability to load malicious kernel modules, obfuscate its activities  , and monitor the mining process    . The operators of SkidMap have taken measures to hide their command-and-control IP address by utilizing the Bitcoin blockchain , making it challenging to take down the malware.
SkidMap is highly sophisticated and difficult to detect , especially in larger server infrastructures  . It disguises its cryptocurrency mining activities by generating fake network traffic and CPU usage . It installs malicious kernel modules to hide its activities and sets up a secret master password on infected systems , giving attackers complete access . The malware is difficult to detect and allows attackers to gain unfettered access to affected systems . It installs through crontab and downloads multiple binaries that affect the machine’s security settings . SkidMap creates backdoor access and sets a master password , allowing attackers to log in as any user . It drops a cryptocurrency miner and additional components depending on the operating system . The malware includes malicious components to evade detection and employs advanced methods to remain undetected .
SkidMap uses rootkits to hide itself on infected systems and mine cryptocurrency . It drops as standalone software or an encrypted .tar.gz file , depending on the target machine’s operating system . It installs loadable kernel modules to ensure the infected machine won’t crash when tampered with . SkidMap is equipped with kernel-mode rootkits that provide attackers with unlimited access to system resources and make it difficult to detect infections and mining activity . It also includes modules to monitor cryptocurrency mining processes , hide files     , and set up malicious cron jobs . The use of rootkits in Linux-based cryptocurrency mining is an interesting development .
There are potential indicators of SkidMap infection, such as excessive fan operation and increased laptop temperature  . To protect against SkidMap , it is crucial to secure Redis server instances and regularly install updates and patches. Trend Micro solutions can detect related malicious files and URLs . SkidMap abuses Unix shell commands , transfers tools from external systems , and modifies authentication modules . It may disable security tools , make files difficult to analyze , and impact the availability of services on co-opted systems . Mitigation strategies include system and network discovery , monitoring for file changes and PAM configuration , and restricting scripting for normal users . Rootkit protections and module monitoring can also help detect SkidMap activity . Additionally, file integrity monitoring , process monitoring , and detecting file obfuscation are recommended to mitigate SkidMap attacks .
SkidMap is a dangerous malware that targets vulnerable Redis services on various Linux distributions     . It has evolved to include capabilities such as loading malicious kernel modules and hiding its activities . The operators of SkidMap have been found to hide their backup command and control (C2) IP address on the Bitcoin blockchain . The latest attack involves exploiting insecure Redis server instances to deploy a shell dropper script that distributes an ELF binary disguised as a GIF image file     . SkidMap is highly advanced and difficult to detect      , making it a significant threat to large server infrastructures . Mitigation strategies and ongoing monitoring are crucial to protect against SkidMap attacks and future developments in malware.