Skidmap is a rootkit targeting Linux systems, primarily web servers, in order to enrol them into cryptocurrency mining botnets.
It is unclear how Skidmap is initially delivered, although the nature of its targets suggests its operators are manually identifying systems, gaining access, and dropping a preliminary script. This script is then executed to create a cron job to download and install Skidmap’s main binary. Skidmap will then attempt to disable any SELinux security policies before deploying a backdoor to allow its operators access to any users present on the affected system.
Once this is done, Skidmap will check if the installed operating systems is Debian- or CentOS/RHEL-based, before unpacking and installing an unnamed cryptocurrency miner. It will then make several system calls to hide its files, and disguise network and CPU statistics to prevent detection when mining. It also sets up a secret master password that uses to access any user account on the system.
On Debian-based systems, it drops the cryptocurrency miner payload to /tmp/miner2. For CentOS/RHEL systems, it will download a tar (tape archive) file from the URL, hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz, containing the cryptocurrency miner and its multiple components, which is unpacked and then installed.
Indicators of Compromise
SHA256 File Hashes