Cybercriminals are using a sophisticated Linux malware threat named Shikitega to gain control over Linux systems and IoT (Internet-of-Things) devices. The attackers leverage their access to the breached devices to deliver a crypto-mining threat, but the broad access and the obtained root privileges make it easy for the attackers to pivot and perform far more destructive and intrusive actions if they so desire.
The threat is deployed on the targeted devices via a complex multi-stage infection chain consisting of several different module components. Each module receives instructions from the previous part of the Shikitega payload and ends its actions by downloading and executing the next part.
The initial dropper component is just a couple of hundred bytes, making it quite elusive and difficult to detect. Certain modules of the infection chain are designed to exploit Linux vulnerabilities to achieve persistence and establish control over the breached system. According to a report by the cybersecurity researchers at AT&T Alien Labs who analyzed the threat, Shikitega abused the CVE-2021-3493 and CVE-2021-4034 vulnerabilities. The first one is described as a validation issue in the Linux kernel leading attackers to obtain elevated privileges, while the second one is a local privilege escalation vulnerability in polkit's pkexec utility. Thanks to these vulnerabilities, the final part of the Shikitega malware is executed with root privileges. Another important detail is that, as part of its infection chain, the threat also delivers Mettle, an offensive security tool based on the Metasploit hacking kit.
The cybersecurity researchers warn that certain elements of the Shikitega attack, such as some of the Command-and-Control (C2, C&C) servers, are hosted on legitimate Cloud services. Shikitega also utilizes a polymorphic encoder to make it even more difficult for detection by anti-malware solutions.