1. Home
  2. Software
  3. Skidmap

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]

ID: S0468
Type: MALWARE
Platforms: Linux
Version: 1.1
Created: 09 June 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Skidmap has created a fake rm binary to replace the legitimate Linux binary.[1]
Enterprise T1556 .003 修改身份验证过程: Pluggable Authentication Modules

Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.[1]
Enterprise T1140 反混淆/解码文件或信息

Skidmap has the ability to download, unpack, and decrypt tar.gz files .[1]

Enterprise T1547 .006 启动或登录自动启动执行: Kernel Modules and Extensions

Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

Skidmap has used pm.sh to download and install its main payload.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Skidmap has the ability to set SELinux to permissive mode.[1]
Enterprise T1083 文件和目录发现

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. [1]

Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Skidmap has encrypted it's main payload using 3DES.[1]

Enterprise T1082 系统信息发现

Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.[1]
Enterprise T1098 .004 账号操控: SSH Authorized Keys

Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.[1]
Enterprise T1496 .001 资源劫持: Compute Hijacking

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[1]

Enterprise T1105 输入工具传输

Skidmap has the ability to download files on an infected host.[1]

Enterprise T1057 进程发现

Skidmap has monitored critical processes to ensure resiliency.[1]

Enterprise T1053 .003 预定任务/作业: Cron

Skidmap has installed itself via crontab.[1]

References

  1. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.