A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices, and use this access to install crypto-mining malware.
This malware has been detailed by cybersecurity researchers at AT&T Alien Labs, they call it Shikitega. This malware targets endpoints and Internet of Things devices that run on Linux operating systems.
The malware is delivered in a multi-stage infection chain, where each module responds to commands from the previous part of the payload downloads and executes the next one.
By downloading the payload bit by bit, starting with a module that is just a few hundred bytes, Shikitega can avoid being uncovered by anti-virus software. It also uses a polymorphic encoder to make it more difficult to detect.
Researchers also note that those behind Shikitega appear to abuse legitimate cloud services to host some of their command-and-control servers.
The initial method of infection is still unknown, but the malware gradually downloads more and more modules to provide full functionality.
Starting with the initial dropper, then going through several stages, including downloading Mettle, a Metasploit offensive security tool, which allows the attacker to deploy a wide range of attacks.
These attacks include taking control of webcams, taking control of processes, executing shell commands, and more. The ability to run shell commands provides the attackers with the ability to further exploit the system, which is what they’re focused on for now.
The malware downloads and executes further modules that exploit vulnerabilities in Linux, which can be used to achieve persistence and control of the compromised system.
The Vulnerabilities Include:
- CVE-2021-3493: a validation issue in the Linux kernel that allows attackers to gain elevated privileges.
- CVE-2021-4034: a high-severity memory corruption vulnerability in polkit, which is installed by default in Linux distributions.
By exploiting these vulnerabilities, the malware is able to download and execute the final stage of the payload with root privileges, providing the ability to fully control the system.
This final stage of the attack downloads crypto-mining malware, which allows the attackers to exploit the power of infected machines to secretly mine for cryptocurrency, at no cost to themselves.
While this appears to be the focus of the attacks for now, the amount of control Shikitega gains over systems means it could be used for more damaging attacks in the future.
Linux is a useful target for cyber criminals, because it can often be overlooked when businesses think about cybersecurity.
A key part of Shikitega’s attack process is leveraging known vulnerabilities to help gain full access to Linux systems; this can be prevented by ensuring the appropriate security patches for CVE-2021-3493 and CVE-2021-4034 have been applied, as well as swiftly applying any other updates that are released.