AT&T Alien Labs experiences {that a} new Linux malware dubbed Shikitega infects computer systems and IoT gadgets (web of issues) with a number of payloads. The stealthy malware leverages safety flaws to realize privilege escalation and set up persistence. After the attacker controls the system, a cryptocurrency miner is deployed.
An infection Chain Evaluation
As identified by AT&T Alien Labs, Shikitega malware entails a multi-step an infection chain. It delivers just a few hundred bytes per layer to encourage module activation. Every module responds to a distinct a part of the payload, after which the following one is executed.
The malware permits attackers to regulate the system fully and run cryptominers. Every module has a particular process, reminiscent of downloading/executing meterpreter Metasploit, setting persistence on the contaminated system, exploiting Linux flaws, and downloading/executing a cryptominer.
The strategy to realize preliminary compromise is but unknown. The primary an infection layer is a 370 bytes ELF file containing the encoded shellcode. After the decryption is accomplished, the ultimate Mettle payload with distant code execution and management capabilities is executed via “int 0x80,” which helps execute the suitable syscall.
Afterward, it downloads and runs different instructions acquired from its C2 server by calling 102 syscall. The instructions aren’t saved within the laborious drive however executed from reminiscence. Mettle retrieves a smaller ELF file that downloads and executes the cryptominer.
Moreover, Shikitega makes use of a polymorphic XOR additive suggestions encoder dubbed Shikata Ga Nai. It was beforehand examined by researchers, which reported that every encoded shellcode it creates is totally different from the remaining as a result of it makes use of a number of strategies like dynamic block ordering, dynamic instruction substitution, and randomization of instruction spacing between directions.
On this marketing campaign, this encoder is employed to make detection by antivirus engines advanced and exploit cloud providers.
“Shiketega malware is delivered in a classy means, it makes use of a polymorphic encoder, and it regularly delivers its payload the place every step reveals solely a part of the full payload.”
Ofer Caspi – AT&T
Shikitega is an evasive malware as a result of it may well obtain next-stage payloads from a C2 server and immediately executes them in reminiscence. It achieves privilege escalation via exploiting PwnKit or CVE-2021-4034 and CVE-2021-3493. The attacker can simply abuse the elevated permissions to fetch the ultimate stage shellcode scripts with root privileges and deploy Monero cryptominer.
Associated Information
- New Linux malware is evading detection to mine cryptocurrency
- Previous crypto malware makes come again, hits Home windows, Linux gadgets
- New Linux Malware Installs Bitcoin Mining Software program on Contaminated System
- Golang malware infecting Home windows, and Linux servers with XMRig miner
- ElectroRat crypto-stealing malware hits macOS, Home windows, Linux gadgets