New Linux malware combines unusual stealth with full feature set

Skulls and crossbones in binary

Researchers this week unveiled a new line of Linux malware, notable for its stealth and sophistication in infecting both traditional servers and Internet-of-devices. things are smaller.

Dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, the malware is distributed through a multistage infection chain using polymorphic encryption. It also abuses legitimate cloud services to host command and control servers. These make detection extremely difficult.

AT&T Alien Labs researcher Ofer Caspi continues to find ways to distribute malware in new ways to stay on target and avoid detection. Written. “The Shikitega malware is distributed in a sophisticated way, it uses a polymorphic encoder and gradually distributes its payload where each step reveals only a portion of the total payload. The malware also abuses known hosting services to host its command and control servers.”

AT&T Alien Labs

The ultimate goal of the malware is unclear. It removes the XMRig software for mining Monero, so a stealthy crypto attack is a possibility. But Shikitega also downloads and executes a powerful Metasploit package called Vigor. The inclusion of Mettle opens up the potential that stealthy Monero mining is not the only function.

The main dropper is very small – an executable is only 376 bytes.

AT&T Alien Labs

Polymorphic encryption occurs through the Shikata Ga Nai encoder, a Metasploit module that makes it easy to encrypt shell code distributed in Shikitega payloads. Encryption is associated with a multistage infection chain, where each link responds to part of the previous link to download and execute the next.

“Using an encoder, the malware runs through multiple rounds of decryption, where one loop decrypts the next until the final shellcode payload is decoded and executed,” Caspi explains. “The encryption nail is generated based on dynamic instruction substitution and dynamic block order. In addition, registers are selected dynamically.”

AT&T Alien Labs

AT&T Alien Labs

The command server will respond with additional shell commands for the targeted machine to execute, as Caspi documented in the packet capture shown below. The bytes marked in blue are the shell commands that Shikitega will execute.

AT&T Alien Labs

Additional commands and files, such as the Mettle package, are automatically executed in memory without needing to be saved to disk. This further increases stealth by making detection through anti-virus protection more difficult.

To maximize its control over the compromised device, Shikitega exploits two critical privilege escalation vulnerabilities to provide full root access. A bug, tracked as CVE-2021-4034 and commonly referred to as PwnKit, lurking in the Linux kernel for 12 years until it was discovered earlier this year. Other security holes tracked are CVE-2021-3493 and come to light in April 2021. While both vulnerabilities have received patches, the fixes may not be widely installed, especially on IoT devices.

The post provides hashes and domains of files associated with Shikitega that interested parties can use as signs of compromise. Given the work that unknown threat actors are responsible for the stealth of malware, it wouldn’t be surprising if malware lurks undetected on some systems.

Source link


News5s: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button