HQ/EMEAFind out how we can help your business
A new and improved SkidMap malware strain currently targets vulnerable Redis servers. Based on reports, the malware developers have designed the new strain to infect a wide range of Linux systems.
Moreover, security researchers stated that the malicious nature of the new SkidMap malware is to adapt to the system on which it operates. The malware also plans to target several entities, such as Alibaba, openEuler, EulerOS, Stream, RedHat, Rocky, Centos, and Anolis.
The first SkidMap malware sightings occurred in 2019.
Investigations in 2019 first discovered the SkidMap malware. The first variant of this threat is a cryptocurrency mining botnet that could load malicious kernel modules that could hide its activities and monitor its miner’s behaviour.
Researchers also discovered that the malware operators have been obfuscating their backup C2 IP address on the Bitcoin blockchain, like another botnet malware called Glupteba.
Threat analysts noted that the strategy of the SkidMap operators is to retrieve real-time information from a decentralised and essentially undetectable data source so they could generate a command-and-control IP address. These generated IP addresses could make the attack more challenging to shut down and allow actors to transition to the C2 IP address efficiently and quickly.
Furthermore, the latest cybercriminal campaign these threat actors execute includes infiltrating unsecured Redis server instances to launch a dropper shell script designed to spread an ELF binary that poses as a GIF image file.
Next, the binary adds SSH keys to the “/root/.ssh/authoried_keys” archive, deactivates SELinux, and builds a reverse shell that pings an attacker-controlled server every hour. This process could ultimately download a corresponding package based on the Linux distribution and the kernel.
The package also includes several shell scripts to install kernel modules and execute processes to hide its tracks by removing logs and deploying a botnet component that could recover additional rootkit payloads, hide the minder process, and analyse, modify, or launch network packets.
Cybersecurity experts expect this new variant will significantly increase its presence in the cybercriminal landscape, especially in entities that run on flawed Redis servers.
