- Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.
- The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
- Shikitega abuse legitimate cloud services to store some of its command and control servers.
AT&T Alien Labs pinpoints a new emerging threat that targets Linux endpoints and IoT devices. The new malware, Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. The malware enables attackers to gain full control of a system and execute cryptocurrency miners.
Researchers at AT&T Alien Labs found out that the new malware uses an infection chain in multiple layers. The first one is a 370 bytes ELF file that contains the encoded shellcode. Each module is responsible for a specific task, such as downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.
The malware uses a polymorphic XOR additive feedback encoder named Shikata Ga Nai, which is analyzed by Mandiant previously. In the report, Mandiant stated that it is polymorphic in that each creation of encoded shellcode is going to be different from the next. To accomplish that, it uses a variety of techniques such as dynamic instruction substitution, dynamic block ordering, randomly interchanging registers, randomizing instruction ordering, inserting junk code, using a random key, and randomization of instruction spacing between other instructions.
After decryption looks, the final payload shellcode is executed, using “int 0x80” to execute the appropriate syscall. Then it downloads and executes additional commands from its command and control by calling 102 syscall. The C&C sends the additional shell commands to execute. The commands won’t be stored in the hard drive, instead will be executed from memory only. AT&T Alien Labs said,
« Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. »