Endpoint/Device Security, Malware

New stealthy Shikitega malware examined

BleepingComputer reports that numerous computers and internet of things devices are being infected with additional payloads by the novel stealthy Linux malware Shikitega, which has been leveraging security flaws to facilitate privilege escalation and establish persistence before initiating cryptominer deployment. Shikitega has been using a multi-step infection chain involving the delivery of only a few hundred bytes per layer to allow module activation, an AT&T report showed. "Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload," said researchers. With the attack commencing with a 370-byte ELF file with an encoded shellcode, the malware then leverages the Shikata Ga Nai encoder to run through numerous decode loops. Researchers added that completion of the decryption process then prompts the receipt of additional shellcode commands, one of which executes the Mettle payload that provides remote control and code execution capabilities. A smaller ELF file is then retrieved by Mettle to download the cryptocurrency miner as the final stage payload. The report noted that five shell scripts are then downloaded to help the cryptominer achieve persistence.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.