The Linux malware, Skidmap is fully capable of mining cryptocurrency through the creation of malicious LKM (loadable kernel modules) to stay undetected, by overwriting and modifying the kernel capabilities.

While the security researchers at TrendMicro who discovered the new Linux malware claimed that it is capable of illicit cryptocurrency mining activities, which are aimed at enriching the cybercriminals, which activities go undetected by the users. Asides cryptomining, the new malware can also grant backdoor access to the attackers on the affected system using a secret master password.

And once Skidmap infects a system through the commands to schedule jobs in any Unix-like OS, it installs malicious codes (“pc”), which will eventually lower the security settings of the system.

Albeit, there isn't any information on the particular cryptocurrency that is mined by the malware, as it simply injects the system with a cryptocurrency miner, which the malware does by figuring out the OS, and works only on either Debian or RHEL/CentOS systems.

The malware devises other method of unauthorized access to an infected system by replacing the “pam_unix.so file” - which file serves for authentication of the Unix system, with malicious variant, coded as “Backdoor.Linux.PAMDOR.A.” file. And the components include fake “rm” binary, and kaudited binary that install several LKMs, with the Iproute module and Netlink rootkit to fake the network stats.

Given that the cryptocurrency-mining threat could lead to higher disruption of business, and perhaps more expenses for the user, it is recommended that Linux users should keep their systems software up-to-date, and apply patches a soon as they are made available, and be cautious of installing any third-party repository.

Linux Malware, Skidmap capable of Cryptomining via the Kernel module rootkit



The Linux malware, Skidmap is fully capable of mining cryptocurrency through the creation of malicious LKM (loadable kernel modules) to stay undetected, by overwriting and modifying the kernel capabilities.

While the security researchers at TrendMicro who discovered the new Linux malware claimed that it is capable of illicit cryptocurrency mining activities, which are aimed at enriching the cybercriminals, which activities go undetected by the users. Asides cryptomining, the new malware can also grant backdoor access to the attackers on the affected system using a secret master password.

And once Skidmap infects a system through the commands to schedule jobs in any Unix-like OS, it installs malicious codes (“pc”), which will eventually lower the security settings of the system.

Albeit, there isn't any information on the particular cryptocurrency that is mined by the malware, as it simply injects the system with a cryptocurrency miner, which the malware does by figuring out the OS, and works only on either Debian or RHEL/CentOS systems.

The malware devises other method of unauthorized access to an infected system by replacing the “pam_unix.so file” - which file serves for authentication of the Unix system, with malicious variant, coded as “Backdoor.Linux.PAMDOR.A.” file. And the components include fake “rm” binary, and kaudited binary that install several LKMs, with the Iproute module and Netlink rootkit to fake the network stats.

Given that the cryptocurrency-mining threat could lead to higher disruption of business, and perhaps more expenses for the user, it is recommended that Linux users should keep their systems software up-to-date, and apply patches a soon as they are made available, and be cautious of installing any third-party repository.

No comments