1 min read

New Shikitega Malware Targets Linux and IoT Devices, Researchers Find

Silviu STAHIE

September 13, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New Shikitega Malware Targets Linux and IoT Devices, Researchers Find

Security researchers have identified a new type of malware designed to compromise Linux and IoT devices, allowing attackers to take over and deploy cryptominers.

Despite their reputation as much more difficult to compromise, Linux systems are not invulnerable. As with any other operating system, vulnerabilities need to be closed with the latest security patches. If that doesn’t happen, the OS becomes vulnerable, and attackers will always look for a way in.

This is the case with the new Shikitega malware, which security researchers from AT&T Alien Labs identified in the wild targeting Linux operating systems and various IoT devices. Attackers deploy a small dropper by leveraging two vulnerabilities, CVE-2021-4034and CVE-2021-3493. The dropper is heavily encoded in an attempt to bypass security solutions.

“The malware uses the ‘Shikata Ga Nai’ polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit,” security researchers explained. “Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.”

“After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall,” researchers added.

It’s not all that unusual, as many types of malware follow the same path. Once installed, the malware contacts the command and control server, which sends back various shell commands. The commands bring additional components that are executed directly from memory.

The goal is to download and run the metasploit meterpreter Mettle that allows attackers to control the webcam, execute other shell commands, and more. Finally, the malware executes the last stage under root privileges, allowing it to achieve persistence and drop a cryptominer. In that situation, it’s the XMRigminer for Monero cryptocurrency.

Interestingly enough, the command and control server is hosted on a popular cloud service, which makes the traffic look legit.

For prevention, the same rules apply, as always. Keep all systems up to date and always have a security solution running in the background.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read