Cryptojacking malware continues to be a challenge in 2019. According to research published by TrendMicro in September, a new cryptojacking malware is targeting Linux systems. The malware, known as Skidmap, is capable of accessing computers and illegally using their processing power to mine crypto.
The Skidmap Malware
To conduct its illicit activities, the Skidmap malware attacks computers by creating infected loadable kernel modules (LKM) to stay hidden. Since it utilizes the Linux kernel module rootkits, it is quite difficult to detect. The reason for this is that the malware comes with the ability to overwrite and modify kernel parts.
Besides crypto mining, the researchers claim that the malware is able to create backdoors, which hackers can use to access the infected system by creating secret master passwords. It can then use it to gain unauthorized access to any part of the system.
How it Works
The malware enters a Linux system using the crontab commands, which are used to schedule jobs in Unix-based computer OS. Once it is in the system, it will install corrupted binaries that it uses to lower the security settings of the infected computer, making it possible to use the computer for crypto mining. The research did not point out which crypto the malware was mining. To begin its cryptojacking activity, the malware detects the specific OS, whether it is CentOS/RHEL or Debian.
For Debian systems, the malware will save its crypto-miner in “/tmp/miner2.” For the CentOS/RHEL system, it stores the crypto miner as a tar file, which is sourced from the hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz.” URL.
It also has another method that it uses to access infected systems. To achieve this goal, it replaces the “pam_unix.so” file, which is used for authentication with a malicious file called “Backdoor.Linux.PAMDOR.A.” With these simple steps, the malware has full access to any system.
The malware has other malicious components that it installs in the system. For instance, it utilizes various other components to accomplish its malicious goals. Some of the components are a fake “rm” binary, an Iproute module, a kaudited binary that it uses to install various LKMs and a Netlink rootkit to help it generate fake network stats.
How to Stay Safe
The threat of crypto-jacking continues to grow every day. This can lead to higher power consumption as well as disruption of business processes. With a few precautions, one can keep their systems safe. One way to do this is to ensure that the system and servers are updated and patched often. Besides that, users should conduct due diligence when using third-party repositories. Additionally, avoid clicking on unfamiliar links sent to your email and check the website URLs of the sites you visit to ensure they are secured.
How to Detect Crypto Jacking
There are various ways to detect cryptojacking. If you use a laptop and notice your fan is revving up, that is a good sign there is malicious software on your device. Besides that, if you notice your laptop heats up often, you should scan your laptop with an updated and reliable antivirus.
Image Source: Shutterstock