Context
On September 6, 2022, researchers at AT&T Alien Labs reported technical details of a new malware, “Shikitega,” that targets endpoints and internet of things (IoT) devices running Linux operating systems. Once delivered, Shikitega allows actors full remote access to the infected system and installs a cryptominer with persistence. Key takeaways from the report include:
- The malware downloads and executes the Metasploit “Mettle” meterpreter to maximize its control on infected machines.
- Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
- The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
- Shikitega abuses legitimate cloud services to host some of its command and control servers (C&C).
Impact Analysis
AT&T researchers did not disclose any information on the specific targeted organizations, specific targeted devices, or targeted industries of the Shikitega campaign. As such, it is not currently known if this malware has been leveraged against the retail, hospitality, or travel sectors. Organizations employing Linux in any of their operations are encouraged to consider the mitigation options and ingest the indicators of compromise (IOCs) provided here as part of a proactive defense.
Technical Details
According to AT&T researchers, Shikitega uses a multi-layer infection chain where each module accomplishes a specific task and leads to the next task. The chain is as follows:
- Download and execute Metasploit meterpreter,
- Exploit Linux vulnerabilities,
- Establish persistence on infected device,
- Download and execute the cryptominer.
Mitigation Options
AT&T researchers recommended the following defensive measures:
- Keep software up to date with security updates.
- Install Antivirus and/or EDR in all endpoints.
- Use a backup system to backup server files.
IOCs
AT&T researchers provided the following IOCs:
| Indicator | Type | Notes |
| dash[.]cloudflare[.]ovh | Domain | Command and control |
| main[.]cloudfronts[.]net | Domain | Command and control |
| b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331 | SHA256 | Malware hash |
| 0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed | SHA256 | Malware hash |
| f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb | SHA256 | Malware hash |
| 8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732 | SHA256 | Malware hash |
| d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374 | SHA256 | Malware hash |
| fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765 | SHA256 | Malware hash |
| e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d | SHA256 | Malware hash |
| cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d | SHA256 | Malware hash |
| d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8 | SHA256 | Malware hash |
| 29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8 | SHA256 | Malware hash |
| 4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7 | SHA256 | Malware hash |
| 130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5 | SHA256 | Malware hash |
| 3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098 | SHA256 | Malware hash |
| 6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275 | SHA256 | Malware hash |
| 7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad | SHA256 | Malware hash |
| 2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab | SHA256 | Malware hash CVE-2021-3493 |
| 4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f | SHA256 | Malware hash CVE-2021-4034 |
| e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4 | SHA256 | Malware hash |
| 64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4 | SHA256 | Malware shell script |
| 623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955 | SHA256 | Malware shell script |
| 59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af | SHA256 | Malware shell script |
| 9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338 | SHA256 | Malware shell script |
| 05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464 | SHA256 | Malware shell script |
| ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d | SHA256 | Malware hash |
MITRE TTPs
AT&T researchers provided the following MITRE ATT&CK Matrix tactics, techniques, and procedures (TTPs):
- TA0002: Execution
- T1059: Command and Scripting Interpreter
- T1569: System Service
- 002: Service Execution
- TA0003: Persistence
- T1543: Create or Modify System Process
- TA0005: Defense Evasion
- T1027: Obfuscated Files or Information
