As part of our experts’ comment series, please find below comments from security experts on Linux malware (Skidmap) disguising itself on infected machines for the purpose of unlawful cryptocurrency mining,
BREAKING NEWS: Skidmap, a Linux malware, now mines crypto on your computer in complete stealth. This virus also gives complete backdoor access to the hackers as well.#cryptocurrency #Cryptocurrencynews #Cryptohttps://t.co/Yz6WVpEkx4
— CoinBeat (@CoinBeatCrypto) September 17, 2019
Cryptocurrency mining malware is still a prevalent threat in 2019 and Cybercriminals are devising new ways to make a profit from these malware. The Skidmap is one of the recent examples, which hides inside the kernel to hide illicit cryptocurrency mining. This new kernel-mode is much more difficult to detect compared to its previous user-mode counterparts which show malware are getting smarter day by day. The main steps in Skidmap infection chain are:
1) Installation via crontab,
2) Download and Execute main library,
3) Disable or change SELinux policy,
4) Open up backdoor access,
5) Check the infected system: Debian or EHEL/Centos and finally
6) Download and execute cryptocurrency miner and other malicious components.
It is important to understand the character of a particular malware family and it’s Indicator of compromise. A CPU high utility is a well-known indicator of crypto mining but in Skidmap’s case, the traffic information is faked to make CPU usage always appear low. It is important to keep applications and operation systems patched to the latest level and search for existing signs of the indicated Skidmap\’s IoCs in your environment and block all URL and IP based IoCs at the perimeter gateway.
The sheer amount of work put into commodity malware that targets Linux is what I find interesting about Skidmap. This is a very thoughtful set of obfuscations and concealments more typical of \”spray-and-pray\” cryptominers targeting Windows or Mac operating systems – or of more customized, targeted Linux malware that’s unlikely to be a part of a campaign like this one. Over the last several months, we’ve seen more evidence that suggests that attackers are continuing to increase their focus on Linux as a vehicle to obtain access to compute and bandwidth resources.