A brand new Linux Malware is in the headlines. Most IT Professionals are terrified of the kind of activities this Malware is designed to do. Let’s read about this new engineered attack in detail.
Recently, AT & T Alien Labs discovered this new malware and decided to name it “Shikitega”. It is curated with a real tiny dropper just 376 bytes with the help of a polymorphic encoder that drops the payload slowly.
It is done so to make sure that the malware downloads and executes one module at a time, thus, making sure it doesn't capture the attention and stays dogged. It is even capable of abusing legitimate cloud services which is more dangerous. They say that the command & control (C2) server for the malware is hosted on a “known hosting service”, making it sneaky.
What is concerning the IT world the most is the purpose behind this Malware. The researchers are absolutely baffled, it’s hard to understand what the malware’s authors were trying to achieve.
Shikitega is quite commanding as it can run on all kinds of Linux devices and allows threat actors to control the webcam on the target end, as well as it can steal credentials. It doesn't end here! This malware is also capable of running XMRig, a popular Cryptojacker that mines Monero cryptocurrency for attackers. The experts are just predicting that the XMRig is designed to exploit compromised devices that have no sensitive data to steal.
This malware counts on two vulnerabilities to attack the devices. One of them is PwnKit (CVE-2021-4034), one of the more ill-famed vulnerabilities that went unheard-of for some 12 years, before finally being spotted and fixed earlier this year. The other one is CVE-2021-3493, uncovered and repaired more than a year ago (in April 2021).
To wonder, both of these vulnerabilities can be fixed however many IT administrators are still applying them, especially to the Internet of Things (IoT) devices.
The IT researchers are still trying to figure out who the authors are, however they strongly suggest all Linux admins keep their software up to date, install a good antivirus and/or EDR on all endpoints, and make sure they frequently back up their server files.