Threat Management, Threat Management, Malware

Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access

Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post today.

"Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits – given their capability to overwrite or modify parts of the kernel – makes it harder to clean compared to other malware," the blog post states. "In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up."

After its installation, the malware downloads its main binary, "pc," which either reconfigures or outright disables an infected machine's Security-Enhanced Linux (SELinux) policy. It then establishes backdoor access by adding an unauthorized public key to the authorized_keys file. Additionally, Skidmap replaces – a module responsible for standard Unix authentication) – with a malicious version that "accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine," the researchers explain.

At this point, the binary drops the cryptocurrency miner by one of two methods, depending on whether the affected machine runs on the Debian Linux distribution, or the CentOS or Red Hat Enterprise Linux (RHEL) distro.

Other components dropped by the malware include a fake replacement for the "rm" command for scheduling the downloading and execution of files. (The genuine rm command actually is used to delete files.) Still others include "kaudited," which drops multiple LKMs on the machine to account for various possible kernel versions; iproute, a module for hiding files; and netlink, a rootkit that fakes network traffic and CPU statistics so that users think their machine is behaving normally even as it is being cryptojacked.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.