New Linux Cryptojacker Can Mask CPU Usage and Fake Network Activity

Skidmap Featured

Cryptojacking is a lucrative venture for malware developers, but it comes with a problem. Cryptojackers take up a lot of the processor’s resources which makes the attack very noticeable for the victim. One strain of cryptojacker has developed a way to avoid detection by masking the tell-tale signs from the user.1

The Arrival of Skidmap

Skidmap is a Linux-based malware which mines cryptocurrency on computers and servers without the owner’s permission. What makes Skidmap so dangerous is its wide range of advanced features that make it a pain to locate and stop.

Hiding the CPU’s True Usage

Skidmap Processor

For one, it can mask its CPU usage. It does this by using a rootkit that masks how much of the processor is being used. This is handy for Skidmap, as its performance-tanking attack will cause users to look at their system resources. Should they see the spoofed CPU usage, they’ll assume any slowdowns as another part of the computer, thus taking heat off the malware.

Hiding Its Network Activity

Cryptojackers need to send data to mine the funds for their owner. This, too, can be a “fingerprint” that will give away a cryptojacker’s location. As such, it uses its rootkit to mask its network traffic so that the user can’t spot the communications going to and from the malware.

Persisting Past Cleanup

Skidmap can also infect the kernel of the operating system, meaning it’s harder to clean it out completely. Even if the user manages it, Skidmap has many ways of sneaking around a network, meaning it can re-infect cleaned devices.

Why Does It Infect Linux?

Skidmap Linux

Typically, malware that makes the developer money targets Windows. This is because of Windows’ high adoption rate; the more computers that run Windows, the further the malware can spread, and the more money the developer makes. So, why does this one target Linux – the OS that’s cited as the hardest option to spread malware?

Legitimate cryptominers know of the weaknesses of mainstream OSs and have shored up with Linux for their mining needs. This makes a malware attack less likely than with a Windows machine.

As a result, heavy duty mining rigs typically run Linux. These are prime targets for cryptojacker developers, who are keen to bandwagon off the rig’s processing power to make themselves some money.

What to Do in the Face of Skidmap

Skidmap Coin

Due to Skidmap’s evasive nature, it’s highly recommended not to allow it to get a foothold on your system. As such, the common practices for avoiding a nasty infection are recommended here.

Keep your servers and systems up to date to help combat this threat. Try not to download and open files on a mining computer or even on a computer on the same network. Don’t give root permission to unknown files. Your computers may be running Linux, but these days it doesn’t give you a free pass for malware!

Mapping Out Skidmap’s Plan

Skidmap is a nasty example of advanced cryptojacking. It can burrow into a Linux kernel, survive multiple wipes, and mask its footprints using false CPU usage information and fake network traffic. A Skidmap infection is hard to shake, so do your best to prevent the initial infection.

Will this news make you more wary of a cryptojacker infection? Let us know below.

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.


  1. “It can burrow into a Linux kernel”
    How? Kernel access requires a root password. How does Skidmap obtain that. You never explained.

  2. I would assume that running CHRootkit or RKHunter might help to find and get rid of this pest? As it is now….I don’t believe in this crypto money stuff. I prefer having real money not stuff that “floats” out in the ether, and hoping I can get it when I need it!

    On the Linux side of things, I think this would apply more to those who have powerful rigs….people like myself who have Dell Latitude laptops that are Duo-Core and can only run with 8GB of RAM…..should be the least likely targets for these kinds of attacks, I’m sure the bandits are more interested in the rigs that have multiple Core i7’s in it…and that can run with up to 32GB of RAM, since I don’t own anything like that?…I don’t think I’m too worried about this. Thinking about it now?….if the crooks ever DID try to use my machine?..I think I would slow THEIR networks down….because of my “old” and just barely working hardware! Hahahahaha!!!…

  3. A Skidmap infection is hard to shake, so do your best to prevent the initial infection.

    It is nice to say avoid the infections, but … how about some suggestions other than not running root all the time?

Comments are closed.