Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.
Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post today.
“Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits – given their capability to overwrite or modify parts of the kernel – makes it harder to clean compared to other malware,” the blog post states. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.”
After its installation, the malware downloads its main binary, “pc,” which either reconfigures or outright disables an infected machine’s Security-Enhanced Linux (SELinux) policy. It then establishes backdoor access by adding an unauthorized public key to the authorized_keys file. Additionally, Skidmap replaces pam_unix.so – a module responsible for standard Unix authentication) – with a malicious version that “accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine,” the researchers explain.
At this point, the binary drops the cryptocurrency miner by one of two methods, depending on whether the affected machine runs on the Debian Linux distribution, or the CentOS or Red Hat Enterprise Linux (RHEL) distro.
Other components dropped by the malware include a fake replacement for the “rm” command for scheduling the downloading and execution of files. (The genuine rm command actually is used to delete files.) Still others include “kaudited,” which drops multiple LKMs on the machine to account for various possible kernel versions; iproute, a module for hiding files; and netlink, a rootkit that fakes network traffic and CPU statistics so that users think their machine is behaving normally even as it is being cryptojacked.