New Linux malware combines unusual stealth with a full suite of capabilities

Researchers this week unveiled a new pressure of Linux malware that is notable for its stealth and class in infecting each conventional servers and smaller Internet-of-things units.

Dubbed Shikitega by the AT&T Alien Labs researchers who found it, the malware is delivered by a multistage an infection chain utilizing polymorphic encoding. It additionally abuses reputable cloud providers to host command-and-control servers. These issues make detection extraordinarily troublesome.

“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection,” AT&T Alien Labs researcher Ofer Caspi wrote. “Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers.”

AT&T Alien Labs

The final goal of the malware is not clear. It drops the XMRig software program for mining the Monero cryptocurrency, so stealthy cryptojacking is one risk. But Shikitega additionally downloads and executes a highly effective Metasploit package deal often known as Mettle, which bundles capabilities together with webcam management, credential stealing, and a number of reverse shells into a package deal that runs on the whole lot from “the smallest embedded Linux targets to big iron.” Mettle’s inclusion leaves open the potential that surreptitious Monero mining is not the only operate.

The primary dropper is tiny—an executable file of simply 376 bytes.

AT&T Alien Labs

The polymorphic encoding occurs courtesy of the Shikata Ga Nai encoder, a Metasploit module that makes it straightforward to encode the shellcode delivered in Shikitega payloads. The encoding is mixed with a multistage an infection chain, through which every hyperlink responds to a half of the earlier one to obtain and execute the subsequent one.


“Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed,” Caspi defined. “The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.”

AT&T Alien Labs

AT&T Alien Labs

A command server will reply with further shell instructions for the focused machine to execute, as Caspi documented within the packet seize proven beneath. The bytes marked in blue are the shell instructions that the Shikitega will execute.

AT&T Alien Labs

The instructions and extra recordsdata, such because the Mettle package deal, are routinely executed in reminiscence with out being saved to disk. This provides additional stealth by making detection by antivirus safety troublesome.

To maximize its management over the compromised machine, Shikitega exploits two crucial escalation of privileges vulnerabilities that give full root entry. One bug, tracked as CVE-2021-4034 and colloquially often known as PwnKit, lurked within the Linux kernel for 12 years till it was found early this yr. The different vulnerability is tracked as CVE-2021-3493 and got here to mild in April 2021. While each vulnerabilities have obtained patches, the fixes will not be broadly put in, notably on IoT units.

The put up offers file hashes and domains related with Shikitega that events can use as indicators of a compromise. Given the work the unknown risk actors accountable dedicated to the malware’s stealth, it would not be shocking if the malware is lurking undetected on some techniques.


Please enter your comment!
Please enter your name here

Popular Posts

Turn its debt into a new cryptocurrency

Since bankrupt crypto lender Celsius froze withdrawals in June, clients' funds have been in limbo. Now, leaked audio shared with CNBC reveals a preliminary...

Top 10 cities with the best pizzerias worldwide

Whether you want the skinny type of a New York pie or choose the chunkier Detroit-style possibility, you are more likely to have a...

Analysts discuss U.S. interest charges, greenback, Asian Financial Crisis

The world financial system could also be dealing with situations seen in the course of the 1997 Asian Financial Crisis — aggressive U.S. interest...

Did 79 Die in a Bridge Collapse While Watching a Clown’s Stunt?

On May 2, 1845, 79 individuals died after the Yarmouth suspension bridge collapsed in Great Yarmouth, England, as they watched a circus stunt involving...

Top 5 stories of the week: News from Nvidia GTC, Dreamforce and Gartner

Two main trade occasions for technical choice makers led our protection this week: Nvidia GTC and Dreamforce. Nvidia launched a number of AI-infused updates,...