New Linux Cryptomining Malware
It’s pretty nasty:
The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes.
Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.
[…]
The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.
Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. “Without [a] domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,” AT&T said.
Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.
Another article.
Slashdot thread.
Clive Robinson • September 12, 2022 11:24 AM
@ ALL,
As I’ve said before, the first question to be asked is,
“What is the business case for this computer to be connected to publicaly accessible communications?”
Usually there is no business case other than,
“It seemed like a common thing to do at the time.”
Whilst no commodity OS can be made secure, just as little or no commodity level hardware can be made secure, the *nixes used to be fairly easy to,
1, Mininise
2, Run from ROM.
Sadly those two ways of making your computer way less of a piece of hanging fruit are nolonger what they were with many *nix’s these days.
Plus the desire by managment and marketing to do “the dumbest of things” appears to be getting way worse.
The two exploits the malware alledgedly uses “pkexec(1)”[1] and “overlayfs”[2] are niceties, not essentials on a Linux “server” or “appliance” box.
Unfortunately for “embedded systems” such as appliances and IoT boxes they “come recommended” for various reasons. The oft used argument for “overlayfs” is it makes using what is a ROM image work in RAM with minimal changes…
So you can guess what is being hit and why they’ve not been patched in a year.
@ Bruce,
Maybe you should provide a link to your previous essays on why IoT and similar not being updated or patched is such a bad idea…
[1] CVE-2021-4034 : A local privilege escalation vulnerability was found on polkit’s “pkexec(1)” utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
https://linux.die.net/man/1/pkexec
[2] CVE-2021-3493 : The “overlayfs” implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
https://wiki.archlinux.org/title/Overlay_filesystem