Executive Summary
In our 2021 Year in Review, we predicted a rise in Linux malware for 2022. AT&T Alien Labs recently reported on Shikitega, a new Linux malware with stealth capabilities.
Key Takeaways
- Shikitega is a stealthy malware targeting Linux devices.
- Shikitega uses the polymorphic encoder Shikata Ga Nai.
- Shikitega gives the threat actor persistence and installs XMRig cryptominer.
What is Shikitega?
Shikitega is a stealthy malware targeting Linux systems. It is delivered via a multi-stage infection chain, in which each module responds to part of the payload and then downloads and executes the following one. Shikitega gives threat actors full system control and installs a persistent cryptocurrency miner.
Shikitega’s main dropper is a 370 byte ELF file, and the actual code is around 300 bytes. According to Alien Labs, it uses Shikata Ga Nai, a polymorphic XOR additive feedback encoder often used in Metasploit. Shikitega uses the encoder to run through multiple decode loops, with each loop decoding the next layer, eventually leading to the decode and execution of the final shellcode payload. The encoder stub is generated using a dynamic instruction substitution and dynamic block ordering. The registers are also dynamically selected.
Due to the small size of the main dropper code, Shikitega downloads and executes additional commands from the C2 by calling 102 syscall. The C2 provides the malware with additional shell commands to execute. Additional files downloaded from the C2 are not stored on disk but are executed in memory.
Shikitega downloads and executes Mettle, which is a Metasploit interpreter. This allows the threat actor to control the victim’s webcam, use a sniffer, control processes, execute shell commands, and grant multiple reverse shells.
Shikitega uses wget to download the next stage dropper, a small ELF file around 1kb in size. The ELF file is encoded with Shikata Ga Nai. Shikitega decrypts this file and executes the shell command, which downloads and executes additional files. Shikitega exploits two Linux vulnerabilities, CVE-2021-4034 and CVE-2021-3493, to execute the last-stage dropper. The final stage is executed with root privileges and creates persistence, as well as installing XMRig cryptominer.
IOCs
PolySwarm has multiple samples of Shikitega.
Fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765
f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb
You can use the following CLI command to search for all Shikitega samples in our portal:
$ polyswarm link list -f Shikitega
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports