Recently two threat analysts have identified a new strain of Skidmap Linux malware that not only keeps its cryptocurrency mining operations hidden but also provides the threat actor with the universal access to a malware-infected system through a secret master password.
Augusto Remillano II and Jakub Urbanec, two cybersecurity researchers revealed in TrendMicro's latest blog that Skidmap masks its cryptocurrency mining by faking network traffic and CPU-related statistics. It should be noted that high usage of CPU is considered the primary red flag of illicit cryptocurrency mining.
They said that this malware loads malicious kernel modules to hide its cryptocurrency mining operations. It uses rootkit, a program that installs and executes code on a system without end user's knowledge.
The post also revealed that apart from running a crypto-jacking campaign on the infected system, the Linux malware gives the cybercriminal "unfettered access" to the affected machine.
The researchers stated that this malware also sets up a way to "gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication."
It should be mentioned that Skidmap is a more difficult malware compared to others, particularly because it uses the Linux Kernal Module (LKM) rootkits that modify the parts of the "Kernel." It is also capable of causing reinfection to a system that has been restored or clean.
In the post it was also mentioned that "Cryptocurrency-mining threats don't just affect a server or workstation's performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations."