Security researchers at AT&T Alien Labs have discovered a new type of Linux malware and dubbed it Shikitega. At the same time, they published a detailed analysis of the stages of infection and malware implantation. Due to their flexible and multi-level structure, attack detection is difficult. Shikitega gets root access and installs crypto miner XMRig.
The actual Linux malware dropper is a binary program that the attackers place and execute on the target machine. This first program is only 370 bytes in size. All other stages are downloaded and executed first via command-and-control servers. The analysis does not provide additional information about the path of initial infection. It can be assumed that Shikitega exploits existing security holes in services accessible from the Internet for this first step. Typically, these can also be arbitrary file upload and code injection vulnerabilities on websites.
The first program in the infection chain – like the later program to download the exploits – uses the polymorphic “Shikata Ga Nai” XOR Additive Feedback Encoder. The code intended for execution is first wrapped over several loops.
In the next step, the current version of the malware downloads the “Mettle” meter. It is part of the Metasploit Penetration Testing Framework and opens up a whole host of other attack vectors for the attacker. This makes it possible to execute arbitrary code, open external shells, and execute commands from a command line. The target computer connects to the attacker’s system via a Transport Layer Security (TLS) encrypted connection and then receives additional commands for individual attacks.
Holes in polkit and overlay
In addition, Shikitega also loads another program into the target system’s main memory and executes it there. Here, the researchers observed different variants. Vulnerable installations are currently compromised via attacks on polkit (CVE-2021-4034) and Linux kernel filesystem “overlays” on Ubuntu (CVE-2021-3493). The first release of PolicyKit (now renamed polkit) contained a locally exploitable vulnerability in “pkexec” that an attacker could use to gain root privileges. The bug has been fixed with the v.121 release of polkit, corresponding patches have also been backported to older versions and distributed by the Linux distributions.
Attackers can also use a hole in the Linux kernel under Ubuntu to gain elevated privileges locally. To do this, the kernel must support “overlayfs”, which is why special attention is paid to kernel versions between 3.13 and 5.14. The combination of a patch in Ubuntu and the code in the Linux kernel leads to incorrect behavior and creation of the vulnerability.
Nesting and execution using cronjobs
Armed with root privileges, attackers can then download the third level of programs in the form of shell scripts and XMRig cryptocurrency mining malware. The downloaded scripts create entries for cron jobs both for the currently logged in user and for root. These entries ensure that the mine malware runs as a process sshd with root privileges
/var/tmp is carried out. If no cron daemon is installed, the malware will do so. A lock file is used in the same directory to prevent multiple instances from running. Shikitega deletes scripts after infection. This makes it difficult to identify the infection.
The structure of Linux malware means that Shikitega’s developers can adapt both malware and exploits at any time. This could be used both to avoid detection using signatures and to adjust the target of the infection. However, the structure could also simply be a necessity, since the domains used can only be changed by code changes when they are mentioned in the analysis, and thus new signatures are also created.
Difficult infection detection
It is not enough for administrators to integrate signatures for registration and add to their firewalls. Systems secured in this way quickly reach their limits when the signatures are changed. Even high-load monitoring systems, for example using classic software like Nagios, Munin or Cockpit, could come to naught if the malware was changed. Regular, timely updates significantly reduce the risk of infection, but do not replace vigilance.
On infected machines, at
/var/tmp vm.lock file. AT&T Alien Labs lists a number of IOCs (Indicator of Compromise) for the individual programs, domains used and exploits for attack detection.
You can reliably notice the changes caused by Linux malware on the system. This is where various local intrusion detection solutions such as AIDE come in. Such changes to the system are also made in legitimate ways, be it system updates or temporary files of used applications. Ultimately, it remains the administration’s job to find such anomalies quickly through regular analysis and to draw the right conclusions.