A brand new Linux malware strain capable of different kinds of nasties has been detected, capable of abusing legitimate cloud services to stay hidden in plain sight.
Cybersecurity researchers from AT&T Alien Labs recently discovered the malware and named it Shikitega. It comes with a super tiny dropper (376 bytes), using a polymorphic encoder that gradually drops the payload. That means that the malware will download and execute one module at a time, making sure it stays hidden and persistent.
The command & control (C2) server for the malware is hosted on a “known hosting service”, making it stealthier, it was said.
Abusing PwnKit
The researchers aren’t absolutely certain what the malware’s authors were trying to achieve.
Shikitega is quite potent, as it can run on all kinds of Linux devices, and allows threat actors to control the webcam on the target endpoint, as well as steal credentials. On the other hand, it’s also capable of running XMRig, a known cryptojacker that mines the Monero cryptocurrency for the attackers. One can only speculate that the XMRig was added to make use of compromised devices that have no sensitive data to be stolen.
The malware relies on two vulnerabilities, both patched months ago, to compromise the devices and achieve persistence. One is PwnKit (CVE-2021-4034), one of the more infamous vulnerabilities that went undetected for some 12 years, before finally being spotted and fixed earlier this year. The other one is CVE-2021-3493, discovered and patched more than a year ago (in April 2021).
While there’s a fix for both these holes, the researchers are saying, many IT administrators are yet to apply them, especially when it comes to Internet of Things (IoT) devices.
The researchers don’t yet know who the authors are, and are suggesting all Linux admins to keep their software up to date, install an antivirus and/or EDR on all endpoints, and make sure they back up their server files.
- These are the best Linux distros for small businesses right now
Via: Ars Technica
