Skidmap Attacks Linux Systems to Mine Cryptocurrencies

Skidmap is a malicious application you should watch out for if you are a Linux user. This recently discovered threat appears to be very sophisticated. It can drop a cryptocurrency-mining malware on a system, hide its presence from the user, and provide its creators with root or administrative access to an infected system. In short, it can cause a lot of problems for those who may receive this threat. Therefore, in this article, we discuss what you can do to protect your computer from Skidmap and what you should do if you suspect it could be on your system. Also, we talk about how this malicious application could enter a system and what ought to happen if it succeeds, as well as why it might be so difficult to notice its presence. Naturally, if you have any questions about after reading our blog post, feel free to leave us a comment at the end of it.

The first ones who discovered Skidmap were cybersecurity researchers from Trend Micro: Augusto Remillano II and Jakub Urbanec. In their report, they explain that the malicious application can get in “through exploits, misconfigurations, or exposure to the internet.” Meaning, users who want to keep their systems safe from such threats should make sure that their computers have no exploitable vulnerabilities or misconfigurations. For starters, we recommend updating any software that could be out of date. Another thing we highly recommend is changing weak or old passwords since it is also considered to be a weakness. Plus, it is best not to visit unreliable websites, click suspicious advertisements, or interact with any material that you do not know to be safe for sure. Specialists recommend choosing a legitimate antimalware application too. A reliable security tool can stand guard and be used for a quick scan whenever a user needs to check if a file is malicious or not.

The next thing that researchers who discovered Skidmap explained in their report was how the malware is installed. It would seem it abuses a legitimate Linux service called crontab that is responsible for a system’s list of scheduled commands. Then the malicious application should drop a script that downloads and opens the malware’s launcher. The first thing that shows how sophisticated this threat is its capability to lower an attacked system’s defenses upon its launch. According to specialists, Skidmap achieves this by executing the setenforce 0 command if a file called /usr/sbin/setenforce exists or commands called SELINUX=disabled and SELINUXTYPE=targeted if the attacked system has a file titled /etc/selinux/config. Afterward, the threat should gain backdoor access to the infected Linux computer. It is obtained with the help of binary and public keys that give access to a file called authorized_keys (it contains authentication keys).

Apparently, it is not enough to have a backdoor access to a system as the malware ought to also replace a file called with a malicious file. The original file is responsible for Unix systems’ authentication, and replacing it with a malicious file allows the Skidmap’s developers to connect to a targeted computer with their created password. Having access to a system could provide numerous possibilities. For example, hackers could be able to drop more malware on a system, spy on a user, view files, and so on. What is known for certain is thatSkidmap places a cryptocurrency-mining malware.

What you should know about the threat’s cryptocurrency miner is that it can use lots of a computer’s resources such as CPU. The consequences of high CPU usage could be slower performance and faster wear. However, if a user checks his CPU usage, he might see that it is low even though his computer’s performance could suggest otherwise. That is because the malicious application employs a specific rootkit called netlink that can replace network traffic statistics with false information. Thus, even though Skidmap’s cryptocurrency miner might use a lot of an infected computer’s resources, it might not show up in the statistics. Researchers say it is only one of a few means that the malware can employ to remain undetected. For example, it can also employ a module called iproute that can be used to hide particular files. As a result, it might be tricky to detect Skidmap on a system as it has various means to conceal its activities.

To conclude, Skidmap is a threat that should be avoided at all costs or removed with no hesitation if it gets noticed on a system. Deleting it manually is unadvisable as erasing such a sophisticated threat could be too difficult for regular computer users. It is best to leave this task to a reliable security tool that could eliminate Skidmap for you. Therefore, if you suspect it could be on a system or want to check it just in case, we advise performing a full system scan with your chosen antimalware tool. If you do not have such a tool yet, we recommend picking a legitimate tool that comes from reputable creators to avoid downloading malware that pretends to be antivirus software.


Augusto Remillano II, Jakub Urbanec. September 16, 2019. Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Trend Micro.