Home Science & Technology New hidden Shikitega malware targeting Linux systems and IoT devices

New hidden Shikitega malware targeting Linux systems and IoT devices


A new hidden Linux malware is called Shikitega discovered the use of a multi-stage infection chain to compromise endpoints and IoT devices and host additional payloads.

“An attacker can gain complete control of the system in addition to the cryptocurrency miner being executed and configured to persist” – AT&T Alien Labs said in a new report released Tuesday.

The findings add to a growing list of Linux malware that has been found in the wild in recent months, including The doors of the BNF, The symbiote, Syslogk, OrBitand Lightning Framework.

Cyber ​​security

Once deployed on the target host, the attack chain downloads and executes the Metasploit file “Courage” meterpreter for maximum control, exploits vulnerabilities to elevate its privileges, adds security on the host via crontab, and eventually runs a cryptocurrency miner on infected devices.

The exact method by which the initial compromise is achieved is still unknown, but what makes Shikitega evasive is its ability to download next-stage payloads from the command and control server (C2) and execute them directly in memory.

New Stealth Shikitega Malware

Escalation of privilege is achieved through exploitation CVE-2021-4034 (aka PwnKit) and CVE-2021-3493allowing an adversary to abuse elevated permissions to obtain and execute end-stage shell scripts with root privileges to secure and deploy the Monero crypto miner.

Cyber ​​security

In a further attempt to fly under the radar, malware operators use “Shikata ha nai” polymorphic encoder to make it harder for antivirus engines to detect and abuse legitimate cloud services for C2 functions.

“Threat entities continue to find ways to distribute malware in new ways to stay under the radar and avoid detection,” said AT&T Alien Labs researcher Ofer Caspi.

“The Shiketega malware is delivered in a sophisticated manner, using a polymorphic encoder and delivering its payload incrementally, where each step exposes only a portion of the total payload.”

Previous articleAuthorities shut down WT1SHOP for selling stolen credentials and credit cards
Next articleNew list! 79 Greenwood Avenue, Warren, Maine – $399,000