Skidmap Linux Rootkit

Skidmap is a rootkit targeting Linux systems, primarily web servers, in order to enrol them into cryptocurrency mining botnets.

It is unclear how Skidmap is initially delivered, although the nature of its targets suggests its operators are manually identifying systems, gaining access, and dropping a preliminary script. This script is then executed to create a cron job to download and install Skidmap’s main binary. Skidmap will then attempt to disable any SELinux security policies before deploying a backdoor to allow its operators access to any users present on the affected system.

Once this is done, Skidmap will check if the installed operating systems is Debian- or CentOS/RHEL-based, before unpacking and installing an unnamed cryptocurrency miner. It will then make several system calls to hide its files, and disguise network and CPU statistics to prevent detection when mining. It also sets up a secret master password that uses to access any user account on the system.

On Debian-based systems, it drops the cryptocurrency miner payload to /tmp/miner2. For CentOS/RHEL systems, it will download a tar (tape archive) file from the URL, hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz, containing the cryptocurrency miner and its multiple components, which is unpacked and then installed. domain on Virus Total

Indicators of Compromise

SHA256 File Hashes

  • 240ad49b6fe4f47e7bbd54530772e5d26a695ebae154e1d8771983d9dce0e452
  • 3ae9b7ca11f6292ef38bd0198d7e7d0bbb14edb509fdeee34167c5194fa63462
  • 913208a1a4843a5341231771b66bb400390bd7a96a5ce3af95ce0b80d4ed879e
  • 945d6bd233a4e5e9bfb2d17ddace46f2b223555f60f230be668ee8f20ba8c33c
  • c07fe8abf4f8ba83fb95d44730efc601ba9a7fc340b3bb5b4b2b2741b5e31042
  • e6eb4093f7d958a56a5cd9252a4b529efba147c0e089567f95838067790789ee



Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: