New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services have been targeted by a “new, improved, dangerous” variant of a malware called SkidMap that’s engineered to target a wide range of Linux distributions.

“The malicious nature of this malware is to adapt to the system on which it is executed,” Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week.

Some of the Linux distribution SkidMap sets its eyes on include Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky.

SkidMap was first disclosed by Trend Micro in September 2019 as a cryptocurrency mining botnet with capabilities to load malicious kernel modules that can obfuscate its activities as well as monitor the miner process.

The operators of the malware have also been found camouflaging their backup command-and-control (C2) IP address on the Bitcoin blockchain, evocative of another botnet malware known as Glupteba.

“The technique of fetching real-time data from a decentralized and essentially uncensorable data source to generate a C2 IP address makes the infection difficult to take down and makes pivoting the C2 IP address simple and fast,” Akamai noted in February 2021.

The latest attack chain documented by Trustwave involves breaching poorly secured Redis server instances to deploy a dropper shell script that’s designed to distribute an ELF binary that masquerades as a GIF image file.

The binary then proceeds to add SSH keys to the “/root/.ssh/authoried_keys” file, disable SELinux, establish a reverse shell that pings an actor-controlled server every 60 minutes, and ultimately download an appropriate package (named gold, stream, or euler) based on the Linux distribution and the kernel used.

The package, for its part, comes with several shell scripts to install the kernel modules and take steps to cover up the tracks by purging logs, and launch a botnet component capable of retrieving additional rootkit payloads: mcpuinfo.ko, to hide the miner process, and kmeminfo.ko, to analyze, modify, or drop network packets.

Also downloaded is the miner binary itself, although in some variants, a “built-in miner from an extracted ‘GIF’ binary file” is used.

“The level of advancement of this malware is really high, and detecting it, especially in larger server infrastructures, can be very hard,” Zdonczyk said. “When testing it on home computers, the only serious indicator that something was wrong was the excessive operation of fans, and in the case of laptops, the temperature of the case.”