Friday, January 24, 2025
HomeCyber Security NewsLinux Malware Skidmap Uses kernel-mode Rootkits to Hide Cryptocurrency Mining Activities

Linux Malware Skidmap Uses kernel-mode Rootkits to Hide Cryptocurrency Mining Activities

Published on

SIEM as a Service

Follow Us on Google News

Skidmap is a recent sample of the Linux malware that loads malicious kernel modules to hide it’s Cryptocurrency mining activities by faking network traffic and CPU usage.

The malware not only generates Cryptocurrency, but it also set’s up a secret master password on the infected system, which gives attackers complete system access.

Security researchers from Trend Micro observed the Linux Malware, Skidmap. According to their analysis of the malware, “it loads kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — but attackers can also use them to gain unfettered access to the affected system.”

Linux Malware Skidmap Infection Chain

The malware install’s through crontab, a utility used in Unix-like machines to schedule the job to run at regular time intervals. Upon installation, it downloads multiple binaries to the infected machine which affects the machine’s security settings.

Skidmap also set’s up backdoor access to the machine, besides backdoor, it creates another way also to gain unrestricted access to the system by setting a master password, which let attackers log in the system as any user.

Linux Malware Skidmap
Skidmap Infection Chain Source: Trend Micro

If the binary checks determine the infected system using Debian or RHEL/CentOS, then it drops cryptocurrency miner and additional components depend upon the operating system.

Notable Malicious Components

The Linux malware includes malicious components to evade its malicious activities and ensure they continue to run them in the infected machine.

A fake “rm” binary – Set’s malicious corn job task to download and execute a file.

kaudited – Drops Kernel modules and watchdog component to monitor the cryptocurrency miner file and process.

iproute – Used to hide files and fake network traffic.

netlink – Fakes network-related statistics and CPU-related statistics.

When compared with other malware, Skidmap employes advanced method to remain undetected and creates multiple ways for attacks to connect with the infected machine.

EvilGnome is yet another Linux malware observed recently with the capabilities of creating a backdoor and spying the Linux desktop users.

Indicators of Compromise

c07fe8abf4f8ba83fb95d44730efc601ba9a7fc340b3bb5b4b2b2741b5e31042
3ae9b7ca11f6292ef38bd0198d7e7d0bbb14edb509fdeee34167c5194fa63462
e6eb4093f7d958a56a5cd9252a4b529efba147c0e089567f95838067790789ee
240ad49b6fe4f47e7bbd54530772e5d26a695ebae154e1d8771983d9dce0e452
945d6bd233a4e5e9bfb2d17ddace46f2b223555f60f230be668ee8f20ba8c33c
913208a1a4843a5341231771b66bb400390bd7a96a5ce3af95ce0b80d4ed879e

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

PayPal Fined $2 Million Fine For Violating Cybersecurity Regulations

The New York State Department of Financial Services (NYDFS) has imposed a $2 million...