ATT&CK v16 has been released! Check out the blog post for more information.

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.^[1]

ID: S0468

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.1

Created: 09 June 2020

Last Modified: 11 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1098	.004	Account Manipulation: SSH Authorized Keys	Skidmap has the ability to add the public key of its handlers to the `authorized_keys` file to maintain persistence on an infected host.^[1]
Enterprise	T1547	.006	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Skidmap has used `pm.sh` to download and install its main payload.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Skidmap has the ability to download, unpack, and decrypt tar.gz files .^[1]
Enterprise	T1083		File and Directory Discovery	Skidmap has checked for the existence of specific files including `/usr/sbin/setenforce` and `/etc/selinux/config`. It also has the ability to monitor the cryptocurrency miner file and process. ^[1]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Skidmap has the ability to set SELinux to permissive mode.^[1]
Enterprise	T1105		Ingress Tool Transfer	Skidmap has the ability to download files on an infected host.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Skidmap has created a fake `rm` binary to replace the legitimate Linux binary.^[1]
Enterprise	T1556	.003	Modify Authentication Process: Pluggable Authentication Modules	Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Skidmap has encrypted it's main payload using 3DES.^[1]
Enterprise	T1057		Process Discovery	Skidmap has monitored critical processes to ensure resiliency.^[1]
Enterprise	T1496	.001	Resource Hijacking: Compute Hijacking	Skidmap is a kernel-mode rootkit used for cryptocurrency mining.^[1]
Enterprise	T1014		Rootkit	Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.^[1]
Enterprise	T1053	.003	Scheduled Task/Job: Cron	Skidmap has installed itself via crontab.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Skidmap has the ability to check if `/usr/sbin/setenforce` exists. This file controls what mode SELinux is in.^[1]
Enterprise	T1082		System Information Discovery	Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.^[1]

References

Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.