A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware.
Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs.
The malware is delivered in a multi-stage infection chain, where each module responds to commands from the previous part of the payload and downloads and executes the next one.
By downloading the payload bit by bit – starting with a module that is just a few hundred bytes – Shikitega can avoid being uncovered by anti-virus software. It also uses a polymorphic encoder to make it more difficult to detect.
Researchers also note that those behind Shikitega appear to abuse legitimate cloud services to host some of their command-and-control servers.
The initial method of infection is still unknown, but the malware gradually downloads more and more modules to provide full functionality, starting with the initial dropper, then going through several stages – including downloading Mettle, a Metasploit offensive security tool, which allows the attacker to deploy a wide range of attacks.
These include taking control of webcams, taking control of processes, executing shell commands, and more. The ability to run shell commands provides the attackers with the ability to further exploit the system – and it appears that this is what they’re focused on for now.
The malware downloads and executes further modules that exploit vulnerabilities in Linux, which can be used to achieve persistence and control of the compromised system.
The vulnerabilities are CVE-2021-3493, a validation issue in the Linux kernel that allows attackers to gain elevated privileges, and CVE-2021-4034, a high-severity memory corruption vulnerability in polkit, which is installed by default in Linux distributions.
By exploiting these vulnerabilities, the malware is able to download and execute the final stage of the payload with root privileges, providing the ability to fully control the system.
This final stage of the attack downloads crypto-mining malware, which allows the attackers to exploit the power of infected machines to secretly mine for cryptocurrency – at no cost to themselves. While this appears to be the focus of the attacks for now, the amount of control Shikitega gains over systems means it could be used for more damaging attacks in the future.
And Linux is a useful target for cyber criminals, because it can often be overlooked when businesses think about cybersecurity.
“Threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads,” said Ofer Caspi, malware researcher at Alien Labs.
“Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload,” he added.
A key part of Shikitega’s attack process is leveraging known vulnerabilities to help gain full access to Linux systems; this can be prevented by ensuring the appropriate security patches for CVE-2021-3493 and CVE-2021-4034 have been applied, as well as swiftly applying any other updates that are released.