Experts have spotted a new stealth Linux malware called ShikitegaSecurity Affairs

A new Linux malware dubbed Shikitega leverages a multi-step infection chain to target endpoints and IoT devices.

AT&T Alien Labs researchers have discovered a new stealth Linux malware, dubbed Shikitega, that targets endpoints and IoT devices. The malware is distinguished by its multi-step infection chain, threat actors use it to take full control of the system and conduct other malicious activities including cryptocurrency mining.

Shikitega is able to download next stage payloads from a C2 server and execute them directly in memory, making it very evasive.

Experts have reported that the malware downloads and runs Metasploit meterpreter “Mettle” to take control of infected machines.

Shikitega exploits vulnerabilities to elevate privileges and maintain persistence, researchers have observed that it uses a polymorphic encoder to evade detection by antivirus engines.

The main malware dropper is a small ELF file (370 bytes in size), while the actual code size is around 300 bytes.

“The malware uses the “Shikata Ga Nai” XOR polymorphic additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware cycles through multiple decoding loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed. read it analysis published by AT&T Alien Labs. “After several decryption loops, the final payload shellcode will be decrypted and executed.”

Once the malware is installed on a targeted host, it downloads and runs the “Courage” meterpreter to maximize control over the system and perform multiple operations.

The findings add to a growing list of Linux malware that has been found in the wild in recent months, including GMP Gate, Symbiote, Syslog, Orbitand Lightning frame.

The malware achieves privilege escalation by exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493. The malware exploits the exploit to download and execute the final stage with root privileges – the malware persistence and payload.

“Threat actors continue to research ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder and it gradually delivers its payload where each step only reveals a part of the total payload. Additionally, the malware abuses known hosting services to host its command and control servers. Be careful!” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Log4Shell)

Share on

Comments are closed.