Cybersecurity researchers have found a new strain of Linux malware, Skidmap. The sophisticated crypto mining program uses loadable kernel modules (LKMs) to help infiltrate Linux machines.

The malware hides its malicious activity by displaying fake network traffic and CPU-related stats. It not only mines cryptocurrency illicitly but also provides the attackers with universal access to an infected system. It is via a secret master password. Skidmap uses fairly advanced methods so that its components do not get detected.

The initial infection takes place in a Linux process called crontab. Then, Skidmap installs multiple malicious binaries. This minimizes the infected machine’s security settings for starting the crypto mining without facing any hindrance. Apart from the backdoor access, the malware also makes another way of accessing the machine. The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version. The malicious pam_unix.so file accepts a specific password for any users. It thus allows the attackers to log in as any user.

According to the analysts, the Linux malware Skidmap can mask the crypto mining by using a rootkit. This is a program that installs and executes code on a system without end-user consent. These kinds of activity are called as cryptojacking and it has been plaguing the crypto industry lately, the source says.