A new malware dubbed Shikitega has been discovered and it targets computers running Linux, as well as IoT devices with a Linux-based system. Let’s take stock of this new threat.
The Shikitega malware exploits vulnerabilities to elevate its privileges on the infected machine (CVE-2021-4034 corresponding to PwnKit and CVE-2021-3493), and to be persistent on the machine, it modifies the crontab (scheduled task system under Linux ) of the system. It can even deploy cryptocurrency mining software (XMRig version 6.17.0) on infected devices. Its peculiarity is thatit is relatively stealthy and manages to evade antivirus detection thanks to its polymorphic encoder. Thus, it is not not possible to detect it based on a simple signature. A new proof that detection by signature is not sufficient and that it is necessary to be interested in behaviors.
In a reportsecurity researchers at AT&T, who discovered this malware, said: “Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder and gradually delivers its payload, with each step revealing only part of the total payload.” – Indeed, it turns out that the chain of infection is cut into several stages, and at each stage, a part of the malware is deployed. For example, the infection starts with a 370 byte ELF file.
To give rise to the malicious shellcode that will ultimately be executed on the infected machine, the malware goes through several decoding loopswhere each loop decodes the next layer until the final payload is decoded, and thus reconstructed, in order to be executed. Once in place, the Shikitega malware connects to the hackers’ command and control (C2) server, with the aim of receiving additional commands to execute. For instance, hackers can download and run Mettle on the infected hosta lightweight and portable version of Meterpreter, which offers additional options like remote control.
At the crontab level, the malware adds 4 tasks, 2 for the root superuser and 2 others for the current user. Here are the names of the scripts executed via the crontab: brict.sh, politrict.sh, truct.sh and restrict.sh. In addition, the unix.sh script is downloaded and it is used to check the existence of the “crontab” command: if it is not present, it installs the necessary package and starts the service.
Although it is currently focused on mining the Monero cryptocurrency, it cannot be ruled out that the Shikitega malware will be used for other purposes in the future. To protect against this threat, it is advisable to keep your Linux system up to date and to use protection tools, in particular an EDR.
Logiciel – OS,Sécurité,Linux,Malware,
#Shikitega #hardtodetect #Linux #malware