Next-gen Linux malware takes control of devices with a unique set of tools
Linux-focused malware dubbed Shikitega has emerged to target Internet of Things (IoT) endpoints and devices with a unique multi-step infection chain that results in complete device takeover and cryptominer.
AT&T Alien Labs researchers who spotted the bad code said the attack stream consists of a series of modules. Not only does each module download and run the next, but each of these layers serves a specific purpose, according to a Tuesday post from Alien Labs.
For example, one module installs Metasploit’s “Mettle” Meterpreter, which allows attackers to maximize their control over infected machines with the ability to execute shell code, take control of webcams and other functions, and more. Again. Another is responsible for exploiting two Linux vulnerabilities (CVE-2021-3493 and CVE-2021-4034) to gain elevation of privilege as root and achieve persistence; and yet another runs the popular XMRig cryptominer for Monero mining.
Other notable abilities of the malware include the use of the “Shikata Ga Nai” polymorphic encoder to thwart detection by antivirus engines; and abuse of legitimate cloud services to store command and control (C2) servers. According to research, C2s can be used to send various shell commands to the malware, giving attackers complete control over the target.
Linux malware exploits on the rise
Shikitega is indicative of a trend for cybercriminals to develop malware for Linux – the category has exploded in the past 12 months, Alien Labs researchers said, peaking at 650%.
The incorporation of bug exploits is also on the rise, they added.
“Threat actors are finding servers, endpoints, and IoT devices based on Linux operating systems increasingly valuable and finding new ways to deliver their malicious payloads,” according to the post. “New malware like BotenaGo and EnemyBot are examples of how malware authors quickly integrate newly discovered vulnerabilities to find new victims and increase their reach.”
Along the same lines, Linux is also becoming a popular target for ransomware: a Trend Micro report this week identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period. Last year.
How to Protect Against Shikitega Infections
Terry Olaes, director of sales engineering at Skybox Security, said that while the malware may be new, conventional defenses will still be important in thwarting Shikitega infections.
“Despite the new methods used by Shikitega, it still depends on a proven architecture, C2, and access to the internet, to be fully effective,” he said in a statement provided to Dark Reading. “System administrators should consider appropriate network access for their hosts and evaluate the controls that govern segmentation. Being able to query a network model to determine where cloud access exists can go a long way in understanding and mitigating risk to environments reviews.”
Additionally, given the emphasis many Linux variants have on incorporating security bug exploits, he advised companies to focus, of course, on patches. He also suggested incorporating a custom patch prioritization process, which is easier said than done.
“That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape,” he said. “Organizations need to ensure they have solutions that can quantify the business impact of cyber risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the magnitude of financial impact, among other risk analyses, such as exposure-risk-based risk scores.”
He added: “They also need to improve the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability is affecting them, how urgent it is to remediate, and what options are available. for said fix.”