Home > News > Unleashing Chaos: The Sophisticated SkidMap Variant Targeting Unsecured Redis Servers

Unleashing Chaos: The Sophisticated SkidMap Variant Targeting Unsecured Redis Servers


Introduction: Redis and the New SkidMap Variant

As the number of unsecured servers continues to grow, malicious actors are finding new and innovative ways to exploit them. One of the latest and most alarming campaigns targets Redis servers using a new and sophisticated variant of SkidMap malware. Discovered by Trustwave researchers, this variant showcases the constant evolution of malware and the dangers of leaving servers unprotected.

SkidMap: A Brief History

What is SkidMap?

SkidMap is a notorious crypto-miner malware detected by Trend Micro in September 2019. Unlike similar miners, SkidMap's unique feature is its utilization of kernel-mode rootkits to evade detection. It has wreaked havoc by targeting Linux machines and loading malicious kernel modules, all while concealing its actions from the host system.

Evolution of SkidMap

SkidMap's history of targeting Linux machines has been marked by continuous evolution. From its initial detection, each subsequent variant has added new functionalities and increased sophistication.


Analyzing the New Variant: A Targeted Attack on Redis Servers

Targeted Linux Distributions

The new SkidMap variant, designed to target a wide range of Linux distributions, including Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock, signifies an expansion of its reach.

The Focus on Open Redis Instances (NO AUTH)

The recent variant observed by researchers focuses exclusively on open Redis instances, commonly referred to as ‘NO AUTH.' The absence of brute-force attacks indicates a specific and strategic approach.

A Deep Dive Into the Attack Chain

Initial Attempts and Setup

The attack begins with an attempt to log into an unsecured Redis instance, followed by setting up variables containing base64-encoded cron tasks. These tasks are crucial in initiating the subsequent steps of the malware's execution.

Alternating Download Methods

Every 10 minutes, the Cron alternates between β€˜curl’ and β€˜wget’ to download and execute the dropper script, showcasing adaptability and persistence in maintaining the attack.

Deployment of the Dropper Shell Script

Threat actors then deploy a shell script, masquerading as a binary executable file (ELF) disguised as a GIF image file. This contrasts with previous versions of the malware that used β€˜jpeg’.

Adding SSH Keys and Disabling SELinux

Once deployed, the malware adds ssh keys in standard locations and disables the SELinux, a vital step in maintaining unauthorized access and facilitating further malicious actions.

Creating a Reverse Shell

A reverse shell is created to communicate back to the C2 server every hour via TCP/8443 port, a stealthy and efficient way to maintain control over the compromised system.

Downloading Specific Packages

Depending on the Linux distribution and kernel, the malware downloads an appropriate package named gold, stream, or euler, further highlighting the variant's adaptability.

Installation of Kernel Modules and Launching a Bot

A series of shell scripts install the kernel modules, purge logs, and launch a bot to enable additional rootkit payloads. Payloads like mcpuinfo.ko are used to hide the miner, while kmeminfo.ko inspects and manipulates network packets.

Conclusions from the Trustwave Report

Detecting the Malware: A Daunting Task

According to the report, the advancement of this malware is significant, making detection in large server infrastructures highly challenging. On home computers, excessive fan operation and case temperature were the only indicators.

The Vulnerability of Redis: A Warning

The report concludes with a stern warning about Redis. Exploiting its flaws is not complex. Designed for closed environments, Redis's vulnerability by design calls for reconsideration of its placement at the network's edge. Later releases did add security features, but the inherent risks remain.

Indicators of Compromise (IoCs) and Further Analysis

The Trustwave report also includes Indicators of Compromise (IoCs), essential for those dealing with potential threats from this variant. The published details provide valuable insights and tools for understanding and countering this evolving threat.


Redis Security: Recommendations and Best Practices

Understanding Redis Security Architecture

To counter the risks posed by SkidMap, understanding Redis's security architecture is vital. The inherent vulnerability requires stringent security measures.

Applying Patches and Keeping Systems Updated

Regular updates, patches, and monitoring of Redis servers are essential in maintaining security and thwarting potential attacks by variants like SkidMap.

Implementing Network Segmentation and Firewalls

Implementing network segmentation and firewalls can limit the spread of malware and protect the integrity of the server environment.

Continuous Monitoring and Incident Response

Continuous monitoring, coupled with a robust incident response plan, can facilitate early detection and prompt action to mitigate potential damage.


Conclusion: A Grave Reminder of Unceasing Threats

The newly discovered SkidMap variant is a glaring example of how malicious threats continue to evolve, targeting weaknesses in system security. The attack on unsecured Redis servers is a wake-up call to businesses and individuals alike. As technology advances, so does the sophistication of cyber-attacks. Staying vigilant and implementing comprehensive security measures are essential in this unending battle against cyber threats.

Further Resource:

  1. Understanding SkidMap: For a detailed analysis of the SkidMap malware, you can refer to Trend Micro's original research from September 2019.
  2. Latest Security Updates and Patches: If you are using any of the affected Linux distributions, make sure to check the respective security pages for updates and patches, such as:
  3. Trustwave Report: To dive into the technical details of the new SkidMap variant, the full report by Trustwave researchers provides an in-depth analysis.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.