Threat actors have been targeting poorly secured Redis servers
with a new sophisticated SkidMap malware variant that could compromise various Linux distributions, including Alibaba, RedHat, Stream, Anolis, and openEuler, according to The Hacker News
Vulnerable Redis servers are being compromised with a dropper shell script that facilitates the deployment of a GIF file-spoofing ELF binary, which then prompts the inclusion of SSH keys to a root file while deactivating SELinux and downloading a proper package, a Trustwave report showed. Several kernel modules are being installed by the packages, which also triggers further rootkit payload retrieval and miner process concealment.
"The level of advancement of this malware is really high, and detecting it, especially in larger server infrastructures, can be very hard. When testing it on home computers, the only serious indicator that something was wrong was the excessive operation of fans, and in the case of laptops, the temperature of the case," said Trustwave security researcher Radoslaw Zdonczyk.