New Skidmap Redis Malware Variant Poses a Serious Threat to Vulnerable Redis Servers

A “new, improved, dangerous” malware called SkidMap is targeting vulnerable Redis services in a wide range of Linux distributions. The malware is engineered to adapt to the system on which it is executed and has been found to be targeting various Linux distributions, including Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky.

SkidMap was first discovered in September 2019 by Trend Micro and was identified as a cryptocurrency mining botnet with the capability to load malicious kernel modules. The malware can obfuscate its activities, monitor the miner process, and now boasts a range of highly sophisticated capabilities.

The operators of SkidMap have been found using a decentralized and uncensorable data source, the Bitcoin blockchain, to camouflage their backup command-and-control (C2) IP address. This technique, which is also used by Glupteba malware, makes it difficult to take down the infection and allows for fast and simple pivoting of the C2 IP address.

According to Trustwave security researcher Radoslaw Zdonczyk, the latest attack chain documented by Trustwave involves breaching poorly secured Redis server instances to distribute a dropper shell script. The script then drops an ELF binary disguised as a GIF image file. The binary adds SSH keys, disables SELinux, establishes a reverse shell that pings an actor-controlled server every 60 minutes, and ultimately downloads an appropriate package depending on the Linux distribution and kernel used.

Once downloaded, the package comes with various shell scripts which install the kernel modules, purge logs, and launch a botnet component to retrieve additional rootkit payloads such as mcpuinfo.ko and kmeminfo.ko. These payloads hide the miner process, analyze, modify, or drop network packets, and download the malware binary itself.

Zdonczyk warns that the level of advancement of this malware is extremely high, making it challenging to detect. In fact, testing it on home computers only caused an excessive operation of fans, and in the case of laptops, a rise in temperature indicating that something was wrong. The best way to protect against SkidMap is to secure the Redis server instances and install updates and patches as necessary.