Cryptojacking malware continues to be a challenge in 2019. According to research published by TrendMicro in September, a new cryptojacking malware is targeting Linux systems. The malware, known as Skidmap, is capable of accessing computers and illegally using their processing power to mine crypto.
The Skidmap Malware
To conduct its illicit activities, the Skidmap malware attacks computers by creating infected loadable kernel modules (LKM) to stay hidden. Since it utilizes the Linux kernel module rootkits, it is quite difficult to detect. The reason for this is that the malware comes with the ability to overwrite and modify kernel parts.
Besides crypto mining, the researchers claim that the malware is able to create backdoors, which hackers can use to access the infected system by creating secret master passwords. It can then use it to gain unauthorized access to any part of the system.
How it Works
The malware enters a Linux system using the crontab commands, which are used to schedule jobs in Unix-based computer OS. Once it is in the system, it will install corrupted binaries that it uses to lower the security settings of the infected computer, making it possible to use the computer for crypto mining. The research did not point out which crypto the malware was mining. To begin its cryptojacking activity, the malware detects the specific OS, whether it is CentOS/RHEL or Debian.
For Debian systems, the malware will save its crypto-miner in “/tmp/miner2.” For the CentOS/RHEL system, it stores the crypto miner as a tar file, which is sourced from the hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz.” URL.
It also has another method that it uses to access infected systems. To achieve this goal, it replaces the “pam_unix.so” file, which is used for authentication with a malicious file called “Backdoor.Linux.PAMDOR.A.” With these simple steps, the malware has full access to any system.
The malware has other malicious components that it installs in the system. For instance, it utilizes various other components to accomplish its malicious goals. Some of the components are a fake “rm” binary, an Iproute module, a kaudited binary that it uses to install various LKMs and a Netlink rootkit to help it generate fake network stats.
How to Stay Safe
The threat of crypto-jacking continues to grow every day. This can lead to higher power consumption as well as disruption of business processes. With a few precautions, one can keep their systems safe. One way to do this is to ensure that the system and servers are updated and patched often. Besides that, users should conduct due diligence when using third-party repositories. Additionally, avoid clicking on unfamiliar links sent to your email and check the website URLs of the sites you visit to ensure they are secured.
How to Detect Crypto Jacking
There are various ways to detect cryptojacking. If you use a laptop and notice your fan is revving up, that is a good sign there is malicious software on your device. Besides that, if you notice your laptop heats up often, you should scan your laptop with an updated and reliable antivirus.
Image Source: Shutterstock
Notice: Information contained herein is not and should not be construed as an offer, solicitation, or recommendation to buy or sell securities. The information has been obtained from sources we believe to be reliable; however no guarantee is made or implied with respect to its accuracy, timeliness, or completeness. Authors may own the crypto currency they discuss. The information and content are subject to change without notice. Visionary Financial and its affiliates do not provide investment, tax, legal or accounting advice. This material has been prepared for informational purposes only and is the opinion of the author, and is not intended to provide, and should not be relied on for, investment, tax, legal, accounting advice. You should consult your own investment, tax, legal and accounting advisors before engaging in any transaction. All content published by Visionary Financial is not an endorsement whatsoever. Visionary Financial was not compensated to submit this article Please also visit our Privacy policy; disclaimer; and terms and conditions page for further information.