Linux malware masks illicit crypto mining with fake network traffic
A new cryptocurrency mining malware targeting Linux systems has demonstrated how complex this type of malware has become. Known as Skidmap, the malware is not only harder to detect, it also gives the attackers unfiltered access to the affected system.
The malware was discovered by security researchers from TrendMicro. In a blog post, the researchers revealed that the malware can set up a secret master password that gives the attackers access to any user account on the system.
The malware installs itself through crontab, a list of tasks schedule to run on regular intervals, the researchers explained. Upon execution, the malware decreases the affected machine’s security settings. It does this by disabling the Security Enhanced Linux (SELinux) module, a security module which provides support in the system’s access control policies.
Skidmap also gives the attackers backdoor access to the affected machine by adding the attacker’s public keys to the list of keys needed for authentication.
Furthermore, it replaces the system’s authentication module known as pam_unix with its own malicious version. This version accepts a specific password set by the attackers for any user on the system, allowing them to log in to any user account at will.
To avoid detection, Skidmap loads several other malicious components onto the affected machines. One of these is a netlink rootkit that fakes the network statistics, specifically traffic involving certain ports and IP addresses. It also fakes CPU-related statistics, making the affected machines appear to be running normally. With high CPU usage being one of the more renowned red flags of a cryptojacking malware, this is a key strategy for the attackers.
The researchers revealed to The Next Web that Skidmap mines Monero, one of the leading dark coins. “The cryptocurrency miner pertaining to this article is a variant of XMRig which mines Monero cryptocurrency,” they stated.
The researchers advised, “Given Linux’s use in many enterprise environments, its users, particularly administrators, should always adopt best practices: keep the systems and servers updated and patched (or use virtual patching for legacy systems); beware of unverified, third-party repositories; and enforce the principle of least privilege to prevent suspicious and malicious executables or processes from running.”
Cryptojacking malware attacks surged by 29% in the first quarter of the year, a report by McAfee Labs revealed last month. The attackers have continued to find new ways to stay ahead, with a recent report revealing that Glupteba malware is using the Core Coin (BTC) blockchain to increase its resilience.