Skidmap is a kernel rootkit used for cryptocurrency mining that affects Linux operating systems. It has the ability to check for the existence of specific files, monitor cryptocurrency miner files and processes, and set SELinux to permissive mode.
Skidmap Malware Capabilities
Skidmap may use various techniques to evade detection and access sensitive information, including abusing Unix shell commands, transferring tools from external systems, and modifying pluggable authentication modules. Additionally, Skidmap may use rootkits to hide its presence and loadable kernel modules to automatically execute programs on system boot.Skidmap is a malware that may be used to modify and/or disable security tools, make files difficult to discover or analyze, enumerate files and directories, or search in specific locations for certain information.
- Skidmap may use various techniques to gain access to and control victim systems, including abusing Unix shell commands and scripts, transferring tools and files from external systems, and enumerating running processes. This information may be used to determine which systems to target and how best to infect them.
- The Skidmap malware may attempt to collect detailed information about the target system's operating system and hardware, in order to better evade defenses and carry out specific actions. Additionally, Skidmap may modify authentication modules in order to gain access to user credentials or other accounts.
- Skidmap may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.Skidmap may modify the kernel to automatically execute programs on system boot.
- Skidmap is a malware that may modify the SSH authorized_keys file to persist on a victim host, and may use obfuscated files or information to hide its tracks. It may also abuse the cron utility to schedule execution of malicious code.
- The malware known as Skidmap may disable security tools and attempt to make files difficult to discover or analyze. It may also use the resources of co-opted systems for its own purposes, which could impact the availability of services on those systems.
Ways to Mitigate Skidmap Malware Attacks Capabilities
- The Skidmap malware can be mitigated by restricting scripting for normal users, monitoring for file creation and unusual processes, and viewing data and events as part of a chain of behavior.
- The above text describes how to mitigate skidmap malware attacks. First, system and network discovery techniques should be used to learn the environment. Second, data and events should be considered in the context of a larger chain of behavior. Third, file hashes should be collected and monitored for changes. Fourth, PAM configuration and module paths should be monitored for changes.
- The article discusses how skidmap malware attacks can be mitigated. System and network discovery techniques can help identify skidmap malware activity. Additionally, some rootkit protections may be built into anti-virus or operating system software. Finally, Linux systems can be monitored for the loading, unloading, and manipulation of modules, which may indicate skidmap malware activity.
- The above text discusses various ways to mitigate skidmap malware attacks. These include using file integrity monitoring to detect changes made to the authorized_keys file, monitoring for suspicious processes modifying the authorized_keys file, and monitoring instances for modification of metadata and configurations in cloud environments. Additionally, the text suggests detecting the action of deobfuscating or decoding files or information, and performing process and command-line monitoring to detect potentially malicious behavior.
- Skidmap malware attacks can be mitigated in several ways, including monitoring processes and command-line arguments, detecting file obfuscation, and monitoring process resource usage.
