CybersecurityTech News

Crypto malware Shikitega outwits traditional Linux protection

AT&T Alien Labs has published an analysis of the new Linux malware Shikitega. The malware gains root access and is difficult to detect.

 

Security researchers at AT&T Alien Labs have discovered a new type of Linux malware and dubbed it Shikitega. At the same time, they published a detailed analysis of the stages of infection and malware implantation. Because of their flexible and multi-level structure, attack detection is difficult. Shikitega gains root access and installs the crypto miner XMRig.

 

The actual Linux malware dropper is a binary program that the attackers place and execute on the target machine. This initial program is only 370 bytes in size. All other stages are first downloaded and executed via command-and-control servers. The analysis does not provide any further information about the path of the initial infection. It can be assumed that Shikitega exploits existing security gaps in services accessible from the Internet for this first step. Typically, these can also be arbitrary file upload and code injection vulnerabilities in websites.

The first program in the infection chain – like the later program for downloading the exploits – uses the polymorphic “Shikata Ga Nai” XOR Additive Feedback Encoder. The code intended for execution is first unpacked over several loops.

In the next step, the current version of the malware downloads the meterpreter “Mettle”. It is part of the Metasploit Penetration Testing Framework and opens up a wide range of other attack vectors for the attacker. This allows arbitrary code to be executed, remote shells to be opened and commands to be executed from a command line. The target computer connects to the attacker’s system via a TLS-encrypted (Transport Layer Security) connection and then receives further commands for individual attacks.

In addition, Shikitega also loads another program into the target system’s main memory and executes it there. Here the researchers observed different variants. Vulnerable installations are currently being compromised via attacks on polkit (CVE-2021-4034) and the Linux kernel file system “overlayfs” on Ubuntu (CVE-2021-3493). The first release of PolicyKit (now renamed polkit) contained a locally exploitable vulnerability in “pkexec” that an attacker could use to gain root privileges. The bug has been fixed with the v.121 release of polkit, corresponding patches have also been backported to older versions and distributed by the Linux distributions.

Attackers can also use a hole in the Linux kernel under Ubuntu to gain higher rights locally. To do this, the kernel must support “overlayfs”, which is why special attention is paid to kernel versions between 3.13 and 5.14. The combination of a patch in Ubuntu and the code in the Linux kernel lead to the misbehaviour and creation of the vulnerability.

Armed with root privileges, attackers can then download the third tier of programs in the form of shell scripts and XMRig cryptocurrency mining malware. The downloaded scripts create entries for cron jobs both for the currently logged-in user and for root. These entries ensure that the mining malware runs as a process sshd with root privileges /var/tmp is performed. If no cron daemon is installed, the malware will do so. A lock file is used in the same directory to prevent multiple instances from running. Shikitega deletes the scripts after infection. This makes it difficult to identify the infection.

The structure of the Linux malware means that Shikitega’s developers can adapt both malware and exploits at any time. This could be used both to evade detection using signatures and to adjust the infection’s objectives. However, the structure could also simply be a necessity, since the domains used can only be changed by code changes when they are mentioned in the analysis, and thus new signatures are also created.

It is not enough for administrators to integrate signatures for detection and add to their firewalls. Systems secured in this way quickly reach their limits when the signatures are changed. Even monitoring systems with high loads, for example using classic software such as Nagios, Munin or Cockpit, could come to nothing if the malware were changed. Regular, timely updates significantly reduce the risk of infection, but do not replace vigilance.

On infected machines is found at /var/tmp the vm.lock file. AT&T Alien Labs lists a number of IOCs (Indicator of Compromise) for the individual programs, domains used and exploits for attack detection.

You can reliably notice the changes caused by the Linux malware on the system. This is where various local intrusion detection solutions such as AIDE come in. Such changes to the system are also made in legitimate ways, be they system updates or temporary files of used applications. Ultimately, it remains the task of the administration to find such anomalies promptly through regular analyzes and to draw the right conclusions.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button