A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware.
Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs.
- The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximise its management on contaminated machines.
- Shikitega exploits system vulnerabilities to realize excessive privileges, persist and execute crypto miner.
- The malware makes use of a polymorphic encoder to make it harder to detect by anti-virus engines.
- Shikitega abuse respectable cloud companies to retailer a few of its command and management servers (C&C).
The findings add to a escalating record of Linux malware that has been located in the wild in new months, which include BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.
The correct approach by which the first compromise is achieved continues to be unknown as still, but what tends to make Shikitega evasive is its means to download upcoming-phase payloads from a command-and-manage (C2) server and execute them specifically in memory.
The next downloaded and executed file is an additional small ELF file (around 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell.
The malware will leverage the exploit to download and execute the final stage with root privileges – persistence and cryptominer payload.
- Keep software up to date with security updates.
- Install Antivirus and/or EDR in all endpoints.
- Use a backup system to backup server files