Security researchers have identified a new type of malware designed to compromise Linux and IoT devices, allowing attackers to take over and deploy cryptominers.
Despite their reputation as much more difficult to compromise, Linux systems are not invulnerable. As with any other operating system, vulnerabilities need to be closed with the latest security patches. If that doesn’t happen, the OS becomes vulnerable, and attackers will always look for a way in.
This is the case with the new Shikitega malware, which security researchers from AT&T Alien Labs identified in the wild targeting Linux operating systems and various IoT devices. Attackers deploy a small dropper by leveraging two vulnerabilities, CVE-2021-4034and CVE-2021-3493. The dropper is heavily encoded in an attempt to bypass security solutions.
“The malware uses the ‘Shikata Ga Nai’ polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit,” security researchers explained. “Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.”
“After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall,” researchers added.
It’s not all that unusual, as many types of malware follow the same path. Once installed, the malware contacts the command and control server, which sends back various shell commands. The commands bring additional components that are executed directly from memory.
The goal is to download and run the metasploit meterpreter Mettle that allows attackers to control the webcam, execute other shell commands, and more. Finally, the malware executes the last stage under root privileges, allowing it to achieve persistence and drop a cryptominer. In that situation, it’s the XMRigminer for Monero cryptocurrency.
Interestingly enough, the command and control server is hosted on a popular cloud service, which makes the traffic look legit.
For prevention, the same rules apply, as always. Keep all systems up to date and always have a security solution running in the background.