Security researchers at TrendMicro have discovered a rootkit-like strain of malware that is striking Linux users. Called Skidmap, the malware is a cryptocurrency miner, but there is much more to it than that.
Skidmap is clever. Very clever. It goes out of its way to disguise itself, going as far as faking system statistics to hide the tell-tale high CPU usage that might give it away. More than this, the Monero-mining malware can also give attackers unlimited access to an infected system.
TrendMicro warns that Skidmap “demonstrates the increasing complexity of recent cryptocurrency-mining threats”, pointing out that it is “notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar”.
Threat analysts Augusto Remillano II and Jakub Urbanec go into some detail about how Skidmap works in a post on the TrendMicro blog. They explain:
This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.
These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system. Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.
Infection comes via the crontab process, and a script is used to download the Trojan.Linux.SKIDMAP.UWEJX malware — the “pc” binary. It then goes on to lower the system’s security settings, as TrendMicro’s researchers explain:
Upon execution of the “pc” binary, it will decrease the affected machine’s security settings. If the file /usr/sbin/setenforce exists, the malware executes the command, setenforce 0. This command configures the system’s Security-Enhanced Linux (SELinux) module, which provides support in the system’s access control policies, into permissive mode — that is, setting the SELinux policy so that it is not enforced. If the system has the /etc/selinux/config file, it will write these commands into the file: SELINUX=disabled and SELINUXTYPE=targeted commands. The former disables the SELinux policy (or disallows one to be loaded), while the latter sets selected processes to run in confined domains.
Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.
Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine. The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version (detected as Backdoor.Linux.PAMDOR.A). This malicious pam_unix.so file accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine.
Skidmap goes to some lengths to disguise itself, using the iproute module to hide key files, and the netlink rootkit to fake network and CPU statistics.
TrendMicro recommends simply adopting best practices to avoid this particular strain of malware. Specifically, this means administrators should “keep the systems and servers updated and patched (or use virtual patching for legacy systems); beware of unverified, third-party repositories; and enforce the principle of least privilege to prevent suspicious and malicious executables or processes from running”.