Researchers from AT&T Alien Labs discovered a new piece of stealthy Linux malware, dubbed Shikitega, that targets endpoints and IoT devices. The malware outstands for its multistage infection chain, threat actors use it to can gain full control of the system and carry out other malicious activities, including cryptocurrency mining.
Shikitega is able to download next-stage payloads from a C2 server and execute them directly in memory, which makes it highly evasive.
The experts reported that the malware downloads and executes Metasploit’s “Mettle” meterpreter to take over infected machines.
Shikitega exploits vulnerabilities to elevate privileges and maintain persistence, the researchers observed that it uses a polymorphic encoder to avoid detection by anti-virus engines.
The main dropper of the malware is a small ELF file (370 bytes in size), while the size of the actual code is around 300 bytes.
“The malware uses the “Shikata Ga Nai” polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.” reads the analysis published by AT&T Alien Labs. “After several decryption loops, the final payload shellcode will be decrypted and executed.”
Once the malware was installed on a targeted host, it downloads and executes the Metasploit’s “Mettle” meterpreter to maximize the control over the system and perform multiple operations.
The malware achieves privilege escalation by exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493. The malware leverages the exploit to download and execute the final stage with root privileges – persistence and the payload of the malware.
“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. Stay safe!” concludes the report.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Log4Shell)