Sign up or login to join the discussions!
Dan Goodin - Sep 9, 2022 8:22 pm UTC
Researchers this week unveiled a new strain of Linux malware that's notable for its stealth and sophistication in infecting both traditional servers and smaller Internet-of-things devices.
Dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, the malware is delivered through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command-and-control servers. These things make detection extremely difficult.
"Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection," AT&T Alien Labs researcher Ofer Caspi wrote. "Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers."
The ultimate objective of the malware isn't clear. It drops the XMRig software for mining the Monero cryptocurrency, so stealthy cryptojacking is one possibility. But Shikitega also downloads and executes a powerful Metasploit package known as Mettle, which bundles capabilities including webcam control, credential stealing, and multiple reverse shells into a package that runs on everything from "the smallest embedded Linux targets to big iron." Mettle's inclusion leaves open the potential that surreptitious Monero mining isn't the sole function.
The main dropper is tiny—an executable file of just 376 bytes.
The polymorphic encoding happens courtesy of the Shikata Ga Nai encoder, a Metasploit module that makes it easy to encode the shellcode delivered in Shikitega payloads. The encoding is combined with a multistage infection chain, in which each link responds to a part of the previous one to download and execute the next one.
"Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed," Caspi explained. "The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically."
A command server will respond with additional shell commands for the targeted machine to execute, as Caspi documented in the packet capture shown below. The bytes marked in blue are the shell commands that the Shikitega will execute.
The commands and additional files, such as the Mettle package, are automatically executed in memory without being saved to disk. This adds further stealth by making detection through antivirus protection difficult.
The post provides file hashes and domains associated with Shikitega that interested parties can use as indicators of a compromise. Given the work the unknown threat actors responsible devoted to the malware's stealth, it wouldn't be surprising if the malware is lurking undetected on some systems.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices