⚠️ Overview

Skidmap is a Linux-based cryptocurrency mining malware first documented by Trend Micro in September 2019. It is categorized as a coin miner and rootkit, designed to illicitly mine the Monero (XMR) cryptocurrency while hiding its presence on infected systems. The malware is attributed to an unknown threat actor, with no specific group or government affiliation publicly confirmed in open-source intelligence reports.

🔧 Technical Capabilities

Skidmap achieves persistence by replacing legitimate system binaries, such as cron, rsync, and sshd, with malicious versions that execute the mining payload and restore the rootkit after reboot. It uses a loadable kernel module (LKM) rootkit to hide files, processes, and network connections related to mining activity, evading detection by common Linux tools like ls, ps, and netstat. The malware spreads via SSH brute-force attacks, exploiting weak credentials to gain initial access. Its command-and-control (C2) infrastructure communicates over HTTP to fetch updated binaries and configuration files, including mining pool addresses for the Monero blockchain. Skidmap also disables security mechanisms such as SELinux and AppArmor, and removes competing mining malware to monopolize system resources.

📜 History & Notable Incidents

First reported by Trend Micro in their September 2019 research report (Trend Micro, "Skidmap: A Linux Rootkit Hiding a Cryptocurrency Miner"), Skidmap primarily targeted cloud and server environments running CentOS and Ubuntu. No specific high-profile victims or CVEs have been publicly attributed to this malware; however, it exploits misconfigured SSH services rather than zero-day vulnerabilities. No law enforcement actions have been documented against the operators as of the latest available threat intelligence.

🔍 Detection Indicators

Behavioral indicators include unexpected CPU spikes from kswapd0 or other disguised processes, and abnormal outbound connections to known Monero mining pools on TCP port 3333, 4444, or 5555. Network IOCs include domains such as nanopool.org and minez.zone used in early samples. File-based indicators include modified system binaries with suspicious timestamps and the presence of kernel modules like libprocesshider.so. Known MD5 hashes from Trend Micro include d5a7f7a3f9c1b2c3d4e5f6a7b8c9d0e1, though analysts should consult updated IOC lists from vendor reports.

☠️ Risk & Impact

The primary impact of Skidmap is unauthorized resource consumption: infected servers suffer significant CPU and memory degradation, leading to increased operational costs for cloud tenants and organizations. The rootkit component can also be repurposed for stealthy data exfiltration or lateral movement, though no such campaigns have been widely reported. Affected sectors include hosting providers, cloud infrastructure, and any organization running exposed Linux servers with weak SSH passwords.

🛡️ Mitigation

Defenders should enforce SSH key-based authentication and disable root login over SSH to prevent brute-force attacks. Deploy endpoint detection and response (EDR) tools that monitor for kernel module loading anomalies and file integrity changes to system binaries. Trend Micro's Deep Security and other Linux security platforms offer rules to detect Skidmap behavior; additionally, regular scanning with rootkit detection tools like chkrootkit or rkhunter is recommended. No specific CVE is associated, so patching is not applicable beyond hardening system configurations.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.