The researchers found a new stealthy Linux malware called Shikitega that targets computers and IoT devices and uses privilege escalation vulnerabilities to run a Monero cryptocurrency miner on an infected device.
Shikitega can evade antiviral software using an encoder to enable signature-based static detection.
According to the report from the AT&T, the malware uses a multi-stage infection chain: for each level, only one hundred bytes delivers, a simple module activated, before introducing the next. That’s, Shikitega continuously gives the payload, with a fraction of the total payload revealing every step.
The infection begins with a coded FOL files in 370-bytes. This is done using an advanced computed memory software.
The malware goes through multiple decoder cycles that are used for the decoder to execute that final shellcode payload is decoded.
After the decryption is complete, the shell is executed, which enables the communication of the C&C server, and receives additional commands that can be stored from memory.
One command downloads and executes Mettle, a small, portable Metasploit Meterpreter payload that gives an attacker the additional ability to remotely control and execute the host’s code.
Mettle extracts a smaller file of ELF, which uses CVE-2021-4034 (PwnKit) and CVE-2021-3493 to transfer privileges to a root and load a cryptominer.
Persistence is achieved by deleting all downloaded files and reducing chances of detection.
Shikitega gang infection chain.
Defined, using its legitimate cloud hosting services, Shikitega operators can host their C&C infrastructure and secure the detection. This puts the operators at risk of being detected by the police, but rather harms them.
The AT&T team has recommended that administrators apply the available security updates, use EDR on all endpoints and give accurate backups of critical data.