Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]

ID: S0468
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 09 June 2020
Last Modified: 26 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.[1]

Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Skidmap has used pm.sh to download and install its main payload.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Skidmap has the ability to download, unpack, and decrypt tar.gz files .[1]

Enterprise T1083 File and Directory Discovery

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. [1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Skidmap has the ability to set SELinux to permissive mode.[1]

Enterprise T1105 Ingress Tool Transfer

Skidmap has the ability to download files on an infected host.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Skidmap has created a fake rm binary to replace the legitimate Linux binary.[1]

Enterprise T1556 .003 Modify Authentication Process: Pluggable Authentication Modules

Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.[1]

Enterprise T1027 Obfuscated Files or Information

Skidmap has encrypted it's main payload using 3DES.[1]

Enterprise T1057 Process Discovery

Skidmap has monitored critical processes to ensure resiliency.[1]

Enterprise T1496 Resource Hijacking

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]

Enterprise T1014 Rootkit

Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.[1]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Skidmap has installed itself via crontab.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[1]

Enterprise T1082 System Information Discovery

Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.[1]

References