Researchers this week unveiled a new breed of Linux malware that stands out for its stealth and sophistication at infecting both traditional servers and smaller Internet-of-things devices.
The malware, dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, is delivered via a multi-stage infection chain using polymorphic coding. It also misuses legitimate cloud services to host command-and-control servers. These things make detection extremely difficult.
“Threat actors continue to look for ways to deliver malware in new ways to stay under the radar and avoid detection,” wrote AT&T Alien Labs researcher Ofer Caspi. “Shikitega malware is delivered in an advanced manner, it uses a polymorphic encoder and it gradually delivers its payload with each step revealing only a portion of the total payload. In addition, the malware misuses known hosting services to host its command and control servers .”
The ultimate goal of the malware is not clear. It drops the XMRig software for mining the Monero cryptocurrency, so sneaky cryptojacking is a possibility. But Shikitega also downloads and runs a powerful Metasploit package known as Mettle, which bundles capabilities including webcam monitoring, credential stealing, and multiple reverse shells into one package that runs on everything from “the tiniest embedded Linux targets to great iron”. Mettle’s inclusion leaves open the potential that covert Monero mining isn’t its only function.
The main dropper is small: an executable of only 376 bytes.
The polymorphic encoding is done courtesy of the Shikata Ga Nai encoder, a Metasploit module that makes it easy to encode the shell code provided in Shikitega payloads. The encryption is combined with a multi-stage infection chain, in which each link responds to part of the previous one to download and run the next.
“Using the encoder, the malware goes through several decoding loops, with one loop decoding the next layer, until the final shellcode payload is decoded and executed,” explains Caspi. “The encoder stud is generated based on dynamic instruction replacement and dynamic block order. In addition, registers are selected dynamically.”
A command server will respond with additional shell commands that the target machine can execute, as Caspi has documented in the package capture shown below. The bytes marked in blue are the shell commands that the Shikitega will execute.
The commands and additional files, such as the Mettle package, are automatically executed in memory without being saved to disk. This adds even more stealth by making detection through antivirus protection difficult.
To maximize control over the compromised device, Shikitega leverages two critical privilege escalation vulnerabilities that allow full root access. One bug, tracked as CVE-2021-4034 and popularly known as PwnKit, was in the Linux kernel for 12 years until it was discovered early this year. The other vulnerability is tracked as CVE-2021-3493 and was exposed in April 2021. While both vulnerabilities have received patches, the fixes may not be widely installed, particularly on IoT devices.
The post provides file hashes and domains associated with Shikitega that interested parties can use as indicators of compromise. Given the work done by the unknown threat actors responsible for the stealth of the malware, it wouldn’t be surprising if the malware lurks undetected on some systems.