New Shikitega Malware Targets Linux and IoT Devices, Researchers Find
Security researchers have identified a new type of malware designed to compromise Linux and IoT devices, allowing attackers to take over and deploy cryptominers.
Despite their reputation as much more difficult to compromise, Linux systems are not invulnerable. As with any other operating system, vulnerabilities need to be closed with the latest security patches. If that doesn’t happen, the OS becomes vulnerable, and attackers will always look for a way in.
This is the case with the new Shikitega malware, which security researchers from AT&T Alien Labs identified in the wild targeting Linux operating systems and various IoT devices. Attackers deploy a small dropper by leveraging two vulnerabilities, CVE-2021-4034and CVE-2021-3493. The dropper is heavily encoded in an attempt to bypass security solutions.
“The malware uses the ‘Shikata Ga Nai’ polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit,” security researchers explained. “Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.”
“After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall,” researchers added.
It’s not all that unusual, as many types of malware follow the same path. Once installed, the malware contacts the command and control server, which sends back various shell commands. The commands bring additional components that are executed directly from memory.
The goal is to download and run the metasploit meterpreter Mettle that allows attackers to control the webcam, execute other shell commands, and more. Finally, the malware executes the last stage under root privileges, allowing it to achieve persistence and drop a cryptominer. In that situation, it’s the XMRigminer for Monero cryptocurrency.
Interestingly enough, the command and control server is hosted on a popular cloud service, which makes the traffic look legit.
For prevention, the same rules apply, as always. Keep all systems up to date and always have a security solution running in the background.
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022