SkidMap is a highly advanced variant of malware that targets vulnerable Redis services on various Linux distributions [9] [10]. It was first discovered in September 2019 and is known for its ability to adapt to the system it infects. This malware operates as a cryptocurrency mining botnet and has the capability to load malicious kernel modules, obfuscate its activities [2] [3], and monitor the mining process [1] [2] [3] [4]. The operators of SkidMap have taken measures to hide their command-and-control IP address by utilizing the Bitcoin blockchain [10], making it challenging to take down the malware.
Description
SkidMap is highly sophisticated and difficult to detect [10], especially in larger server infrastructures [4] [9]. It disguises its cryptocurrency mining activities by generating fake network traffic and CPU usage [6]. It installs malicious kernel modules to hide its activities and sets up a secret master password on infected systems [6], giving attackers complete access [6]. The malware is difficult to detect and allows attackers to gain unfettered access to affected systems [6]. It installs through crontab and downloads multiple binaries that affect the machine’s security settings [6]. SkidMap creates backdoor access and sets a master password [6], allowing attackers to log in as any user [6]. It drops a cryptocurrency miner and additional components depending on the operating system [6]. The malware includes malicious components to evade detection and employs advanced methods to remain undetected [6].
SkidMap uses rootkits to hide itself on infected systems and mine cryptocurrency [5]. It drops as standalone software or an encrypted .tar.gz file [5], depending on the target machine’s operating system [5]. It installs loadable kernel modules to ensure the infected machine won’t crash when tampered with [5]. SkidMap is equipped with kernel-mode rootkits that provide attackers with unlimited access to system resources and make it difficult to detect infections and mining activity [5]. It also includes modules to monitor cryptocurrency mining processes [5], hide files [4] [5] [6] [7] [8], and set up malicious cron jobs [5]. The use of rootkits in Linux-based cryptocurrency mining is an interesting development [5].
There are potential indicators of SkidMap infection, such as excessive fan operation and increased laptop temperature [1] [3]. To protect against SkidMap [2], it is crucial to secure Redis server instances and regularly install updates and patches. Trend Micro solutions can detect related malicious files and URLs [7]. SkidMap abuses Unix shell commands [8], transfers tools from external systems [8], and modifies authentication modules [8]. It may disable security tools [8], make files difficult to analyze [8], and impact the availability of services on co-opted systems [8]. Mitigation strategies include system and network discovery [8], monitoring for file changes and PAM configuration [8], and restricting scripting for normal users [8]. Rootkit protections and module monitoring can also help detect SkidMap activity [8]. Additionally, file integrity monitoring [8], process monitoring [8], and detecting file obfuscation are recommended to mitigate SkidMap attacks [8].
Conclusion
SkidMap is a dangerous malware that targets vulnerable Redis services on various Linux distributions [1] [3] [4] [9] [10]. It has evolved to include capabilities such as loading malicious kernel modules and hiding its activities [10]. The operators of SkidMap have been found to hide their backup command and control (C2) IP address on the Bitcoin blockchain [10]. The latest attack involves exploiting insecure Redis server instances to deploy a shell dropper script that distributes an ELF binary disguised as a GIF image file [1] [3] [4] [9] [10]. SkidMap is highly advanced and difficult to detect [1] [2] [3] [4] [9] [10], making it a significant threat to large server infrastructures [10]. Mitigation strategies and ongoing monitoring are crucial to protect against SkidMap attacks and future developments in malware.
References
[1] https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html
[2] https://cybersec84.wordpress.com/2023/08/07/new-skidmap-redis-malware-variant-poses-a-serious-threat-to-vulnerable-redis-servers/
[3] https://www.redpacketsecurity.com/new-skidmap-linux-malware-variant-targeting-vulnerable-redis-servers/
[4] https://cyber.vumetric.com/security-news/2023/08/07/new-skidmap-linux-malware-variant-targeting-vulnerable-redis-servers/
[5] https://www.zdnet.com/article/skidmap-malware-buries-into-the-kernel-to-hide-cryptocurrency-mining/
[6] https://gbhackers.com/linux-malware-skidmap/
[7] https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html
[8] https://www.reactionarytimes.com/what-is-skidmap-and-how-does-it-work/
[9] https://cyberthreat.id/read/15851/SkidMap-Malware-Baru-dan-Berbahaya-Pengincar-Distribusi-Linux
[10] https://www.ultravpn.fr/nouvelle-variante-du-logiciel-malveillant-skidmap-linux-ciblant-les-serveurs-redis-vulnerables/
