Shikitega adopting a multi-stage infection chain to compromise endpoints and IoT devices
Until recently, compared to Windows, Linux users had a myth that many believed, that in Linux there were no viruses and it was not susceptible to attacks.
However, New data shows that trends in cyberattacks are changing. According to data presented by the Atlas VPN team, the amount of new malware for Linux hit an all-time high in the first half of 2022, with nearly 1,7 million samples discovered. Researchers unveiled a new strain of Linux malware noted for its stealth and sophistication in infecting traditional servers and small Internet of Things devices.
Compared to the same period last year, when 226 samples were discovered, the amount of new Linux malware soared by almost 324%. Looking at the number of new Linux malware samples quarter over quarter, in the first quarter of this year it decreased 650% from 2 in the fourth quarter of 872,165 to 2021 in the first quarter of 854,688. In the second quarter, the samples of malware fell again, this time by 2022%, to 2,5.
Nicknamed Shikitega by the AT&T Alien Labs researchers who discovered it, this malware is distributed through an infection chain of several pasos using polymorphic encoding. It also uses legitimate cloud services to host command and control servers. These elements make detection extremely difficult.
“Threat actors continue to look for new ways to deliver malware in order to stay under the radar and avoid detection,” AT&T Alien Labs researcher Ofer Caspi wrote. “Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder and gradually delivers its payload where each step reveals only a part of the total payload. Furthermore, the malware abuses known hosting services to host its command and control servers. »
The malware downloads and runs meterpreter “Mettle” from Metasploit to maximize your control over infected machines;
shikitega exploit system vulnerabilities to gain elevated privileges, persist and run crypto miner. The malware uses a polymorphic encoder to make it harder for antivirus engines to detect. Shikitega abuses legitimate cloud computing services to host some of its command and control (C&C) servers.
It is a native code implementation of a Meterpreter, designed for portability, integrability, and low resource usage. It can run on the smallest to the most powerful embedded Linux targets, and targets Android, iOS, macOS, Linux, and Windows, but can be ported to almost any POSIX-compliant environment.
New malware like BotenaGo and EnemyBot illustrate how malware authors are rapidly integrating newly discovered vulnerabilities to find new victims and increase their reach. Shikitega uses a multi-layered infection chain, the first of which contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and running the Metasploit meterpreter, to exploiting Linux vulnerabilities, to configuring the persistence on the infected machine until a cryptominer is downloaded and executed.
The malware is a very small ELF file, whose total size is only about 370 bytes, while the actual size of the code is about 300 bytes. The malware uses the polymorphic XOR encoder Shikata Ga Nai additive feedback, which is one of the most popular encoders used in Metasploit. With this encoder, the malware goes through multiple decryption loops, where one loop decrypts the next layer, until the final shellcode payload is decrypted and executed.
After several decryption loops, the final payload shellcode will be decrypted and executed, since the malware does not use any import, it uses int 0x80 to execute the appropriate system call. As the main code of the dropper is very small, the malware will download and execute additional commands from its command and control by calling 102 syscall ( sys_socketcall ).
- The C&C will respond with additional shell commands to execute.
- The first marked bytes are the shell commands that the malware will execute.
- The received command will download additional files from the server that will not be stored on the hard drive, but will be executed only in memory.
- In other versions of the malware, it uses the execve system call to execute /bin/sh with the command received from the C&C.
The next file downloaded and executed is an additional small ELF file (about 1 kB) encoded with the Shikata Ga Nai encoder. The malware decrypts a shell command to be executed by calling syscall_execve with '/bin/sh' as a parameter with the decrypted shell. The second stage dropper decrypts and executes the shell commands. The executed shell command will download and execute additional files. To run the next and final stage dropper, it will exploit two vulnerabilities in Linux to exploit privileges: CVE-2021-4034 and CVE-2021-3493.
Finally If you are interested in knowing more about itor, you can check the details In the following link.
Again we confuse viruses with other types of malware (hole, Trojan).
Viruses must have some kind of self-replication system without our express intervention.
Many technical words but it says that a computer is infected with vulnerabilities, GNU/Linux updates itself daily, as there is no need to pay for licenses because everyone has it legal and updating. So how do you get infected? And let's be serious, it's not that Linux doesn't have viruses, it's that it's much more difficult to spread because it doesn't do silly things like running any file by its extension, running programs from USB or DVD simply by inserting it into the computer, Microsoft takes more than twice as long of time to fix the vulnerabilities that are detected, at first Linux has all the unnecessary ports closed, etc. This type of news created to sow doubts and that people do not go over to the GNU/Linux world are laughable.
And what antivirus for linux is recommended?
I had COMODO AV but it stopped updating the databases.