Researchers at the AT&T Alien Labs have discovered a new strain of Linux malware that is extremely hard to detect and affects both traditional servers and Internet-of-things devices, which are typically less secure than your average computer (via Ars Technica).
The malware, dubbed “Shikitega,” is delivered through a multistage infection chain and uses polymorphic encoding to slip under the radar of antivirus technologies and other defences. In addition, Shikitega also hosts its command-and-control servers on recognizable cloud services to appear legitimate.
“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection,” AT&T Alien Labs researcher Ofer Caspi wrote.
“Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers.”
Exactly what Shikitega does once it has infected a system isn’t clear. It drops the XMRig software miner for the Monero cryptocurrency onto the victim device, so stealthy cryptojacking is one possibility.
However, Shikitega also downloads and executes a powerful Metasploit package, known as Mettle, that is capable of a lot more.
Mettle can jack webcam control, steal credentials, and combine multiple reverse shells into a package that runs on everything from “the smallest embedded Linux targets to big iron.” Shikitega injecting Mettle into infected systems indicates that there’s more to it than just clandestine Monero mining.
“Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed,” Caspi explained.
“The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.”
Shikitega also exploits two previously known critical escalation of privileges vulnerabilities to obtain full root access to the target device.
Given how stealthy the malware is, the exact extent of its spread remains unknown. It also can’t be detected by most antivirus programs, making it all the more dangerous.
That said, Caspi’s post contains file hashes and domains associated with the Shikitega malware that can be used to discover an infection.
