AT&T Alien Labs reports that a new Linux malware dubbed Shikitega infects computers and IoT devices (internet of things) with multiple payloads. The stealthy malware leverages security flaws to gain privilege escalation and establish persistence. After the attacker controls the system, a cryptocurrency miner is deployed.

Infection Chain Analysis

As pointed out by AT&T Alien Labs, Shikitega malware entails a multi-step infection chain. It delivers a few hundred bytes per layer to encourage module activation. Each module responds to a different part of the payload, after which the next one is executed.

The malware allows attackers to control the system completely and run cryptominers. Each module has a specific task, such as downloading/executing meterpreter Metasploit, setting persistence on the infected device, exploiting Linux flaws, and downloading/executing a cryptominer.

The method to gain initial compromise is yet unknown. The first infection layer is a 370 bytes ELF file containing the encoded shellcode. After the decryption is completed, the final Mettle payload with remote code execution and control capabilities is executed through “int 0x80,” which helps execute the appropriate syscall.

Afterward, it downloads and runs other commands received from its C2 server by calling 102 syscall. The commands aren’t stored in the hard drive but executed from memory. Mettle retrieves a smaller ELF file that downloads and executes the cryptominer.

Stealthy Linux Malware Shikitega Deploying Monero Cryptominer
Shikitega operation process

Furthermore, Shikitega uses a polymorphic XOR additive feedback encoder dubbed Shikata Ga Nai. It was previously examined by researchers, which reported that each encoded shellcode it creates is different from the rest because it uses several techniques like dynamic block ordering, dynamic instruction substitution, and randomization of instruction spacing between instructions.

In this campaign, this encoder is employed to make detection by antivirus engines complex and exploit cloud services.

“Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload.”

Ofer Caspi – AT&T

Shikitega is an evasive malware because it can download next-stage payloads from a C2 server and directly executes them in memory. It achieves privilege escalation through exploiting PwnKit or CVE-2021-4034 and CVE-2021-3493. The attacker can easily abuse the elevated permissions to fetch the final stage shellcode scripts with root privileges and deploy Monero cryptominer.

  1. New Linux malware is evading detection to mine cryptocurrency
  2. Old crypto malware makes come back, hits Windows, Linux devices
  3. New Linux Malware Installs Bitcoin Mining Software on Infected Device
  4. Golang malware infecting Windows, and Linux servers with XMRig miner
  5. ElectroRat crypto-stealing malware hits macOS, Windows, Linux devices