A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads.
“An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist,” AT&T Alien Labs said in a new report published Tuesday.
The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.
Once deployed on a targeted host, the attack chain downloads and executes the Metasploit’s “Mettle” meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices.
The exact method by which the initial compromise is achieved remains unknown as yet, but what makes Shikitega evasive is its ability to download next-stage payloads from a command-and-control (C2) server and execute them directly in memory.
Privilege escalation is achieved by means of exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, enabling the adversary to abuse the elevated permissions to fetch and execute the final stage shell scripts with root privileges to establish persistence and deploy the Monero crypto miner.
In a further attempt to fly under the radar, the malware operators employ a “Shikata ga nai” polymorphic encoder to make it more difficult to detect by antivirus engines and abuse legitimate cloud services for C2 functions.
Shikitega is also indicative of a trend toward malicious actors expanding their attack reach to accommodate the Linux operating system that’s widely used in cloud platforms and servers across the world, contributing to a surge in LockBit and Cheerscrypt ransomware infections.
According to Trend Micro 2022 Midyear Cybersecurity Report, “the emergence of these new Linux ransomware families directly corresponds to […] a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021.”
“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection,” AT&T Alien Labs researcher Ofer Caspi said.
“Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload.”