The new Linux malware combines unusual invisibility with a full suite of features

Skull and crossbones in binary code

Researchers this week unveiled a new strain of Linux malware that stands out for its stealth and sophistication in infecting both traditional servers and smaller internet-of-things devices.

Dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, the malware is distributed through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command and control servers. These things make detection extremely difficult.

“Threat actors continue to look for ways to deliver malware in new ways to stay under the radar and avoid detection,” wrote Ofer Caspi, researcher at AT&T Alien Labs. “The Shikitega malware is distributed in a sophisticated way, uses a polymorphic encoder, and gradually distributes its payload where each step reveals only a portion of the total payload. Furthermore, the malware abuses known hosting services to host its servers. command and control. “

AT&T Alien Labs

The ultimate goal of the malware is unclear. Releases XMRig software for mining Monero cryptocurrency, so stealthy cryptojacking is a possibility. But Shikitega also downloads and runs a powerful Metasploit package known as Mettle, which bundles features including webcam control, credential theft, and multiple reverse shells into one package that works on anything from the “smallest embedded Linux lenses to the big one.” iron”. Mettle’s inclusion leaves open the potential that Monero’s clandestine mining isn’t the only function.

The main dropper is tiny: an executable file of only 376 bytes.

AT&T Alien Labs

Polymorphic encoding is courtesy of the Shikata Ga Nai encoder, a Metasploit module that simplifies the encoding of the shellcode provided in Shikitega payloads. The coding is combined with a multistage infection chain, where each link responds to a part of the previous one to download and execute the next.

“Using the encoder, the malware performs several decryption cycles, where one cycle decodes the next level, until the final shellcode payload is decoded and executed,” Caspi explained. “The stud encoder is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are dynamically selected.”

AT&T Alien Labs

AT&T Alien Labs

A command server will respond with additional shell commands to run on the target machine, as documented by Caspi in the packet capture shown below. The bytes marked blue are the shell commands that Shikitega will execute.

AT&T Alien Labs

Additional commands and files, such as the Mettle package, are automatically executed in memory without being saved to disk. This adds further stealth by making detection by antivirus protection difficult.

To maximize its control over the compromised device, Shikitega exploits two critical privilege escalation vulnerabilities that give full root access. A bug, traced as CVE-2021-4034 and colloquially known as PwnKit, lurked in the Linux kernel for 12 years until it was discovered earlier this year. The other vulnerability is traced as CVE-2021-3493 and came to light in April 2021. Although both vulnerabilities have been patched, the fixes may not be widely installed, particularly on IoT devices.

The post provides hashes of files and domains associated with Shikitega that stakeholders can use as indicators of a trade-off. Given the work unknown threat actors have put into stealth malware, it wouldn’t be surprising if malware lurked undetected on some systems.