On multiple occasions it has been clarified that the absence of viruses for Linux is a myth. Rather, the generation of malware is focused on the platforms that concentrate the most users.
Linux has a strong presence in the management of Internet of Things devices. Taking advantage of this reality, malware was created that focuses on these devices, violating the implemented security measures, to inject command lines that activate a cryptocurrency mining system.
Shikitega, a sophisticated and stealthy malware for Linux
Researchers from AT&T’s cybersecurity division, made known a new stealthy Linux malware, called Shikitega, that infects computers and IoT devices without being detected by antivirus.
The malware exploits vulnerabilities to elevate its privileges, enabling a Monero cryptocurrency miner on infected devices.
While the initial infection method is not known at this time, the AT&T researchers who discovered Shikitega say the malware uses a multi-step infection chain, with each layer delivering only a few hundred bytes, activating a module simple and then move on to the next. Each module is responsible for a specific task, from downloading and running the malware, to exploiting Linux vulnerabilities, to setting up persistence on the infected machine, to downloading and running a cryptominer.
“Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder and gradually delivers its payload where each step reveals only a part of the total payload”explains the AT&T report.
Those who release these attack tools are constantly looking for new ways to distribute their malware in new ways to avoid detection. Shiketega malware is delivered in a sophisticated manner, not only in terms of deploying its code on targeted devices. Furthermore, this malware abuses known storage services to host its command and control servers. In the AT&T report, for example, a detection of this virus was reported coming from a Microsoft cloud server, routed through Cloudflare.
Supplementary reports to AT&T, as shared by Ars Technica, suggest that the purpose of this malware is not entirely clear. While it has been tested for cryptocurrency mining, the report also notes that the capabilities of this virus include webcam monitoring, credential theft, and multiple reverse shells in one package running on everything from “the smallest embedded Linux targets to the big ones”.
