The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Shikitega Linux Malware

Sep 15, 2022 1:51:05 PM / by PolySwarm Tech Team


Executive Summary

In our 2021 Year in Review, we predicted a rise in Linux malware for 2022. AT&T Alien Labs recently reported on Shikitega, a new Linux malware with stealth capabilities.

Key Takeaways

  • Shikitega is a stealthy malware targeting Linux devices.
  • Shikitega uses the polymorphic encoder Shikata Ga Nai.
  • Shikitega gives the threat actor persistence and installs XMRig cryptominer.
What is Shikitega?

Shikitega is a stealthy malware targeting Linux systems. It is delivered via a multi-stage infection chain, in which each module responds to part of the payload and then downloads and executes the following one. Shikitega gives threat actors full system control and installs a persistent cryptocurrency miner.

Shikitega’s main dropper is a 370 byte ELF file, and the actual code is around 300 bytes. According to Alien Labs, it uses Shikata Ga Nai, a polymorphic XOR additive feedback encoder often used in Metasploit. Shikitega uses the encoder to run through multiple decode loops, with each loop decoding the next layer, eventually leading to the decode and execution of the final shellcode payload. The encoder stub is generated using a dynamic instruction substitution and dynamic block ordering. The registers are also dynamically selected.

Due to the small size of the main dropper code, Shikitega downloads and executes additional commands from the C2 by calling 102 syscall. The C2 provides the malware with additional shell commands to execute. Additional files downloaded from the C2 are not stored on disk but are executed in memory.

Shikitega downloads and executes Mettle, which is a Metasploit interpreter. This allows the threat actor to control the victim’s webcam, use a sniffer, control processes, execute shell commands, and grant multiple reverse shells.

Shikitega uses wget to download the next stage dropper, a small ELF file around 1kb in size. The ELF file is encoded with Shikata Ga Nai. Shikitega decrypts this file and executes the shell command, which downloads and executes additional files. Shikitega exploits two Linux vulnerabilities, CVE-2021-4034 and CVE-2021-3493, to execute the last-stage dropper. The final stage is executed with root privileges and creates persistence, as well as installing XMRig cryptominer.


PolySwarm has multiple samples of Shikitega.



You can use the following CLI command to search for all Shikitega samples in our portal:

$ polyswarm link list -f Shikitega

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Linux, Shikitega, CVE-2021-4034, CVE-2021-3493

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts