Skidmap: A Sophisticated Threat That Can Infiltrate Linux Computers

In this article, we discuss a highly capable malicious application called Skidmap. Since it was designed to infect Linux systems, you have no reason to worry about it if your computer is running Windows. Unfortunately, Linux users have a couple of reasons to fear this threat as it can not only misuse a device to mine cryptocurrencies but also allow the malware’s creators to gain access to infected systems. The worst part is that the malicious application is well at hiding and can run unnoticed. Meaning, its victims may not realize it is on their machines. Further, in this article, you can find more information about the malware’s working manner as well as other essential details, such as how Skidmap might be spread and how to protect your system from it.

Let us start by explaining how Skidmap could enter a system running Linux. According to Trend Micro researches who discovered and tested the malware, it settles in by exploiting a software utility called crontab that works as a time-based job scheduler in the Unix-like operating systems. If the described service is successfully abused, the threat should be able to launch a script called that then downloads the malware’s installer called SKIDMAP.UWEJX or similarly. Before launching this malicious file, the infection should try to lower the targeted machine’s security settings. It seems if there is a file called /usr/sbin/setenforce on a targeted device, the threat should execute a command that would configure a system’s Security-Enhanced Linux (SELinux) module. In case a device contains a file called /etc/selinux/config, the malware should run a couple of commands that would disable the SELinux policy. Either of these processes may weaken the targeted system and allow Skidmap to enter it unnoticed.

After settling in, the malicious application might create a backdoor that would allow its developers to access the infected device whenever they want. Moreover, to have another way to enter a machine, the infection was programmed to also replace a particular system’s file with a malicious copy of it. To be more precise, researchers noticed that the malware replaces a module that is responsible for Unix authentication; it is called The name of the file it gets replaced with could be PAMDOR.A or something similar. Unlike the original module, the fake replacement file accepts a particular password from any user. As a result, the hackers behind Skidmap can log in as if they were the infected device’s users. We cannot say why cybercriminals needed insurance that they will be able to access an infected system one way or the other. Perhaps, they plan on dropping more malware, such as malicious applications designed to spy on a user. However, it is too early to say, as the threat is still fairly-new.

Once this task is over, Skidmap should drop a cryptocurrency miner. A cryptocurrency miner is a tool that uses a device's it gets installed on resources to mine Bitcoins, Monero, or other cryptocurrencies. It is important to stress is that while cryptocurrency miners might not do anything malicious in particular, for example, damage files located on a system, its performed activities could still negatively affect a machine. By misusing various resources, a miner might be responsible for a faster device’s wear. Also, if it misuses a lot of a machine’s resources at once, it could make a computer work slower. Not to mention, a device infected with hackers’ mining tools is misused to generate money for them. Thus, while the tool may not be highly harmful, it does not do anything good to your system or you either.

As said earlier, Skidmap can hide its presence so the threat may stay long, and a victim may still not suspect anything. According to researchers, the malware is able to hide because of a few particular components that are also dropped on a system. One of them is a module called iproute. It can be used to view the contents of specific folders and hide particular files in them. Also, there is a rootkit called netlink that can create false traffic statistics. For instance, it could make it look like the computer’s CPU usage is low. In reality, the CPU’s usage should be huge as it is one of the main computer resources that cryptocurrency miners usually misuse. Thus, a hidden high CPU might prevent a user from realizing that a miner or malware could be on his system.

All in all, Skidmap is a threat that is difficult to detect or erase. Users who wish to avoid such malware are advised to keep their operating systems and other programs up to date as well as use reputable antimalware tools that could guard their computers.


Augusto Remillano II, Jakub Urbanec. September 16, 2019. Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Trend Micro.

Leave a Comment

Enter the numbers in the box to the right *