Sep 07, 2022Ravie Lakshmanan

A brand new piece of stealthy Linux malware known as Shikitega has been uncovered adopting a multi-stage an infection chain to compromise endpoints and IoT gadgets and deposit extra payloads.

“An attacker can acquire full management of the system, along with the cryptocurrency miner that can be executed and set to persist,” AT&T Alien Labs stated in a brand new report revealed Tuesday.

The findings add to a rising record of Linux malware that has been discovered within the wild in latest months, together with BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.

As soon as deployed on a focused host, the assault chain downloads and executes the Metasploit’s “Mettle” meterpreter to maximise management, exploits vulnerabilities to raise its privileges, provides persistence on the host by way of crontab, and finally launches a cryptocurrency miner on contaminated gadgets.

The precise technique by which the preliminary compromise is achieved stays unknown as but, however what makes Shikitega evasive is its capability to obtain next-stage payloads from a command-and-control (C2) server and execute them straight in reminiscence.

Privilege escalation is achieved via exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, enabling the adversary to abuse the elevated permissions to fetch and execute the ultimate stage shell scripts with root privileges to determine persistence and deploy the Monero crypto miner.

In an additional try and fly below the radar, the malware operators make use of a “Shikata ga nai” polymorphic encoder to make it harder to detect by antivirus engines and abuse professional cloud companies for C2 features.

Shikitega can also be indicative of a pattern towards malicious actors increasing their assault attain to accommodate the Linux working system that is extensively utilized in cloud platforms and servers the world over, contributing to a surge in LockBit and Cheerscrypt ransomware infections.

In keeping with Development Micro 2022 Midyear Cybersecurity Report, “the emergence of those new Linux ransomware households straight corresponds to […] a 75% improve in ransomware assaults focusing on Linux techniques within the first half of 2022 in comparison with the primary half of 2021.”

“Risk actors proceed to seek for methods to ship malware in new methods to remain below the radar and keep away from detection,” AT&T Alien Labs researcher Ofer Caspi stated.

“Shiketega malware is delivered in a classy manner, it makes use of a polymorphic encoder, and it step by step delivers its payload the place every step reveals solely a part of the overall payload.”