Skidmap malware buries into the kernel to hide illicit cryptocurrency mining

The Linux malware makes use of a rootkit to disguise itself on infected machines.

A scanner app with 100 million downloads starts to deliver malware An Android Google play app, available since 2010, has recently started installing malware.

A form of malware stumbled upon by researchers makes use of rootkits to bury itself undetected in Linux systems for the purpose of cryptocurrency mining. 

On Monday, threat analysts Augusto Remillano and Jakub Urbanec from Trend Micro said the Linux malware, dubbed Skidmap, is loaded with kernel-mode rootkits designed to obfuscate its presence on an infected system as well as provide attackers with limitless access to the machine's resources. 

Once a vulnerable Linux system has been sourced, Skidmap installs itself via crontab, a time-based job scheduler. 

An installation script will download the main Trojan payload, which will proceed to turn Security-Enhanced Linux (SELinux) modules to a 'permissive' state to reduce the overall security level of a machine. 

See also: US government demands data on thousands of gun scope app users

"If the system has the /etc/selinux/config file, it will write these commands into the file: SELINUX=disabled and SELINUXTYPE=targeted commands," Trend Micro says. "The former disables the SELinux policy (or disallows one to be loaded), while the latter sets selected processes to run in confined domains."

A backdoor is then created by adding its operator's public key to the authorized_keys file on a Linux system. 

Another module used for Unix authentication is replaced with a malicious version that permits a specific, 'master' password to be accepted for any user registered with the compromised machine. Attackers are then able to masquerade as any user -- with any level of privilege -- they choose. 

The cryptocurrency mining component of Skidmap will drop either as standalone software or as an encrypted .tar.gz file depending on whether the target machine is Debian or RHEL/CentOS. 

CNET: The pivot to privacy could come with a $100 million grant

One of the most interesting features of this malware is its handling of the kernel. Many of Skidmap's routines ask for root access, and so kernel-mode rootkits are used to provide the access required -- as well as to make sure infections and mining activity are more difficult to detect.

A file installed as /usr/bin/kaudited will drop and install loadable kernel modules (LKMs), and different modules are used depending on the kernel to make sure an infected machine won't crash when tampered with. 

In particular, one rootkit will fake network traffic and CPU-related statistics to make it appear that the machine is clean. This will include the creation of sham traffic involving particular ports, IP addresses, CPU loads and processes. 

TechRepublic: Companies still unprepared for GDPR rule changes and potential EU data breaches

A CPU with a heavy load is a well-known indicator of cryptocurrency mining as the power used to work out the mathematical puzzles required to secure digital coins is generally high. In Skidmap's case, traffic information is faked to make CPU usage always appear low. 

In addition, the malware is equipped with modules able to monitor cryptocurrency mining processes, hide specific files, and set up malicious cron jobs for executing other malicious files. 

The use of rootkits is an interesting development in the world of Linux-based cryptocurrency mining. Another recently-discovered Trojan sample, called InnfiRAT, was found to contain functionality specifically designed for the theft of cryptocurrency-related wallet credentials on infected machines.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0