Experts Comments Linux Malware (Skidmap) Illicit Cryptocurrency Mining

By   ISBuzz Team
Writer , Information Security Buzz | Sep 18, 2019 11:22 am PST

As part of our experts’ comment series, please find below comments from security experts on Linux malware (Skidmap) disguising itself on infected machines for the purpose of unlawful cryptocurrency mining,  

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Dr. Muhammad Malik
Dr. Muhammad Malik , InfoSec Leader & Editor-in-Chief
September 25, 2019 7:58 am

Cryptocurrency mining malware is still a prevalent threat in 2019 and Cybercriminals are devising new ways to make a profit from these malware. The Skidmap is one of the recent examples, which hides inside the kernel to hide illicit cryptocurrency mining. This new kernel-mode is much more difficult to detect compared to its previous user-mode counterparts which show malware are getting smarter day by day. The main steps in Skidmap infection chain are:

1) Installation via crontab,
2) Download and Execute main library,
3) Disable or change SELinux policy,
4) Open up backdoor access,
5) Check the infected system: Debian or EHEL/Centos and finally
6) Download and execute cryptocurrency miner and other malicious components.

It is important to understand the character of a particular malware family and it’s Indicator of compromise. A CPU high utility is a well-known indicator of crypto mining but in Skidmap’s case, the traffic information is faked to make CPU usage always appear low. It is important to keep applications and operation systems patched to the latest level and search for existing signs of the indicated Skidmap\’s IoCs in your environment and block all URL and IP based IoCs at the perimeter gateway.

Last edited 4 years ago by Dr. Muhammad Malik
Casey Ellis
Casey Ellis , CTO and Founder
September 18, 2019 7:31 pm

The sheer amount of work put into commodity malware that targets Linux is what I find interesting about Skidmap. This is a very thoughtful set of obfuscations and concealments more typical of \”spray-and-pray\” cryptominers targeting Windows or Mac operating systems – or of more customized, targeted Linux malware that’s unlikely to be a part of a campaign like this one. Over the last several months, we’ve seen more evidence that suggests that attackers are continuing to increase their focus on Linux as a vehicle to obtain access to compute and bandwidth resources.

Last edited 4 years ago by Casey Ellis

Recent Posts

Would love your thoughts, please comment.x