With every new technology, comes threats of it being misused by miscreants. The latest technological threat looming in the crypto space is crypto-mining malware. Recently, threat analysts, Augusto Remillano and Jakub Urbanec of Trend Micro discovered a unique Linux malware, Skidmap. It is unique because of the way it dodges system surveillance; the malware comes with kernel-mode rootkits, which means that it loads malicious kernel modules, thus making it nearly impossible for the security system to detect it. For this reason, it is difficult to detect any cryptocurrency mining operation undertaken by this malware.
When a vulnerable Linux system is detected, Skidmap gets installed via a time-based job scheduler, Crontab. After this, a Trojan payload will be downloaded by the installation script present in Skidmap. This Trojan will turn the Security-Enhanced Linux (SELinux) modules to ‘permissive state,’ thus breaching the security of the machine. A backdoor is created by inserting the operator’s key into the authorized_keys file in a Linux system.
In addition to this backdoor, Skidmap also creates another path for the operator to gain access by replacing the system’s pam_unix.so file (the component for standard Unix authentication) with its own malicious file (identified as Backdoor.Linux.PAMDOR.A). This file accepts a single unique password for all the users. Therefore, the operator gains access to the machine as any user using it.
The cryptocurrency mining component of Skidmap drops as an individual entity. This entity consists of the cryptocurrency miner and other components. The malware first checks the OS used by the machine and according to that, installs the component compatible with that OS.
Cryptocurrency mining is the process of adding new transactions to the blockchain or releasing of new currency by decrypting a hash value.