Skidmap

Skidmap, a malicious software (malware), was first detected in 2019 and is primarily designed to target Linux systems for cryptomining purposes. The malware infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, Skidmap can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is particularly notorious for its ability to hide its cryptocurrency mining activities using kernel-mode rootkits, making it difficult to detect and remove. By August 2023, threat actors began leveraging a more sophisticated variant of Skidmap, targeting poorly secured Redis servers. This variant could compromise various Linux distributions, including Alibaba, RedHat, Stream, Anolis, and openEuler. The new version of Skidmap demonstrated significant sophistication by setting up cron tasks with a variable using base64 string, adapting to the operating system where it gets executed, and choosing the binary to download based on the Linux Distribution architecture on the infected system. Historically, Skidmap has been used to covertly mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules. In addition, Skidmap has the capability to set up a secret master password that provides access to any user account in the system. These activities bear similarities to other cryptojacking operations such as Rocke, TeamTNT, and WatchDog. Despite its evolution over time, the core objective of Skidmap remains consistent: exploiting vulnerabilities to mine cryptocurrency undetected.