A Linux-focused malware dubbed Shikitega has emerged to target endpoints and Internet of Things (IoT) devices with a unique, multistage infection chain that results in full device takeover and a cryptominer.
Researchers at AT&T Alien Labs who spotted the bad code said that the attack flow consists of a series of modules. Each module not only downloads and executes the next one, but each of these layers serves a specific purpose, according to a Tuesday posting from Alien Labs.
For instance, one module installs Metasploit’s “Mettle” Meterpreter, which allows attackers to maximize their control over infected machines with the ability to execute shell code, take over webcams and other functions, and more. Another is responsible for exploiting two Linux vulnerabilities (CVE-2021-3493 and CVE-2021-4034) to achieve privilege-escalation as root and achieve persistence; and yet another executes the well-known XMRig cryptominer for mining Monero.
Further notable capabilities in the malware include the use of the “Shikata Ga Nai” polymorphic encoder to thwart detection by antivirus engines; and the abuse of legitimate cloud services to store command-and-control servers (C2s). According to the research, the C2s can be used to send various shell commands to the malware, allowing attackers full control over the target.
Linux Malware Exploits on the Rise
Shikitega is indicative of a trend toward cybercriminals developing malware for Linux — the category has skyrocketed in the past 12 months, Alien Labs researchers said, spiking 650%.
The incorporation of bug exploits is also on the rise, they added.
“Threat actors find servers, endpoints, and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads,” according to the posting. “New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach.”
On a related note, Linux is becoming a popular target for ransomware, too: A report from Trend Micro this week identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.
How to Protect Against Shikitega Infections
Terry Olaes, director of sales engineering at Skybox Security, said that while the malware might be novel, conventional defenses will still be important to thwart Shikitega infections.
“Despite the novel methods used by Shikitega, it is still reliant on tried-and-true architecture, C2, and access to the Internet, to be fully effective,” he said in a statement provided to Dark Reading. “Sysadmins need to consider appropriate network access for their hosts, and evaluate the controls that govern segmentation. Being able to query a network model to determine where cloud access exists can go a long way toward understanding and mitigating risk to critical environments.”
Also, given the focus that many Linux variants put on incorporating security bug exploits, he advised companies to, of course, focus on patching. He also suggested incorporating a tailored patching-prioritization process, which is easier said than done.
“That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape,” he said. “Organizations should ensure they have solutions capable of quantifying the business impact of cyber-risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses, such as exposure-based risk scores.”
He added, “They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation.”