New Shiktenga Malware Targets IoT Devices for Cryptomining and Remote Access

The Shiktenga malware is a technically advanced malware tool targeting Linux-based endpoints and devices for cryptomining.
New Shiktenga Malware Targets IoT Devices for Cryptomining and Remote Access
Share on twitter
Share on linkedin

Context

On September 6, 2022, researchers at AT&T Alien Labs reported technical details of a new malware, “Shikitega,” that targets endpoints and internet of things (IoT) devices running Linux operating systems. Once delivered, Shikitega allows actors full remote access to the infected system and installs a cryptominer with persistence. Key takeaways from the report include:

  • The malware downloads and executes the Metasploit “Mettle” meterpreter to maximize its control on infected machines.
  • Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
  • The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
  • Shikitega abuses legitimate cloud services to host some of its command and control servers (C&C).

Impact Analysis

AT&T researchers did not disclose any information on the specific targeted organizations, specific targeted devices, or targeted industries of the Shikitega campaign. As such, it is not currently known if this malware has been leveraged against the retail, hospitality, or travel sectors. Organizations employing Linux in any of their operations are encouraged to consider the mitigation options and ingest the indicators of compromise (IOCs) provided here as part of a proactive defense.

Technical Details

According to AT&T researchers, Shikitega uses a multi-layer infection chain where each module accomplishes a specific task and leads to the next task. The chain is as follows:

  1. Download and execute Metasploit meterpreter,
  2. Exploit Linux vulnerabilities,
  3. Establish persistence on infected device,
  4. Download and execute the cryptominer.

Mitigation Options

AT&T researchers recommended the following defensive measures:

  • Keep software up to date with security updates.
  • Install Antivirus and/or EDR in all endpoints.
  • Use a backup system to backup server files.

IOCs

AT&T researchers provided the following IOCs:

Indicator Type Notes
dash[.]cloudflare[.]ovh Domain Command and control
main[.]cloudfronts[.]net Domain Command and control
b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331 SHA256 Malware hash
0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed SHA256 Malware hash
f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb SHA256 Malware hash
8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732 SHA256 Malware hash
d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374 SHA256 Malware hash
fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765 SHA256 Malware hash
e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d SHA256 Malware hash
cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d SHA256 Malware hash
d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8 SHA256 Malware hash
29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8 SHA256 Malware hash
4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7 SHA256 Malware hash
130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5 SHA256 Malware hash
3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098 SHA256 Malware hash
6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275 SHA256 Malware hash
7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad SHA256 Malware hash
2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab SHA256 Malware hash CVE-2021-3493
4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f SHA256 Malware hash CVE-2021-4034
e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4 SHA256 Malware hash
64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4 SHA256 Malware shell script
623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955 SHA256 Malware shell script
59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af SHA256 Malware shell script
9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338 SHA256 Malware shell script
05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464 SHA256 Malware shell script
ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d SHA256 Malware hash

 

MITRE TTPs

AT&T researchers provided the following MITRE ATT&CK Matrix tactics, techniques, and procedures (TTPs):

  • TA0002: Execution
    • T1059: Command and Scripting Interpreter
    • T1569: System Service
      • 002: Service Execution
    • TA0003: Persistence
      • T1543: Create or Modify System Process
    • TA0005: Defense Evasion
      • T1027: Obfuscated Files or Information

More Recent Blog Posts