AL2022_59 New Linux malware evades detection using multi-stage deployment (9th September 2022) 

Description 

Shikitega, a new stealthy Linux malware, has been found to infect computers and IoT devices with extra payloads. 

Summary 

The malware launches a cryptocurrency miner on infected devices after adding persistence to the host via crontab and exploiting vulnerabilities to increase privileges. 

Shikitega is very stealthy and it uses a polymorphic encoder to avoid anti-virus detection, thus making static signature-based detection impossible. 

How it works  

Shiketega malware employs a polymorphic encoder and delivers its payload gradually with each step revealing only a portion of the complete payload. 

The dropper which is an ELF file with 370 bytes of encoded shellcode, is where the infection starts. The polymorphic XOR additive feedback encoder "Shikata Ga Nai" is used for the encoding. The virus uses the encoder to cycle through several decode loops, each of which decodes the subsequent layer up until the final shellcode payload is decoded and executed. 

Based on dynamic instruction replacement and dynamic block ordering, the encoder stud is produced. Registers are additionally chosen dynamically. 

Following decryption, the shellcode is used to communicate with the malware's command and control servers (C2) and obtain more commands that are saved and executed directly from memory. 

One of these commands downloads and runs "Mettle," a compact and portable Metasploit Meterpreter payload that provides the attackers with additional options for remote control and code execution on the host. The final stage payload, a cryptocurrency miner, is downloaded as root by Mettle using a smaller ELF file that exploits CVE-2021-4034 (also known as PwnKit) and CVE-2021-3493. By downloading five shell scripts that add four cronjobs, two for the root user and two for the current user, the crypto miner is given persistence. Since the crontabs are a powerful persistence mechanism, all downloaded files are deleted to lessen the chance that the infection would be identified. The cryptocurrency miner, XMRig version 6.17.0, is designed to mine Monero, a hard-to-track cryptocurrency that prioritizes privacy. These five scripts are as follows: 

  • Unix.sh- this script checks if crontab commands exist in the system, if not it is installed and starts the crontab service. 

  • Brict.sh- this script adds crontab for current user to execute crypto miner. 

  • Politrict.sh- this script adds root user crontab to execute crypto miner. 

  • Truct.sh- this script adds crontab for user to download crypto miner and config from the C2 server. 

  • Restrict.sh- this script adds root crontab to download crypto miner and config from the C2 server. 

The threat actors behind Shikitega maintain their command-and-control infrastructure on legitimate cloud hosting services, reducing the likelihood that network security products may raise an alert. This option is more expensive and increases the chance that the operators will be located and identified by law enforcement but also improves stealthiness in the compromised systems. 

Remediation  

It is recommended that users ensure that they have the latest packages installed on their systems. There are a few Linux security tools such as rkhunter, lynis, chkrootkit, clamav and LMD, that can be used to ensure systems are safe. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Linux malware evades detection using multi-stage deployment.pdf

References