Cyber Security

Shikitega – New stealthy malware focusing on Linux

Written by admin


Govt abstract

AT&T Alien Labs has found a brand new malware focusing on endpoints and IoT units which might be operating Linux working methods. Shikitega is delivered in a multistage an infection chain the place every module responds to part of the payload and downloads and executes the following one. An attacker can achieve full management of the system, along with the cryptocurrency miner that will probably be executed and set to persist.

Key takeaways:

  • The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximise its management on contaminated machines.
  • Shikitega exploits system vulnerabilities to achieve excessive privileges, persist and execute crypto miner.
  • The malware makes use of a polymorphic encoder to make it harder to detect by anti-virus engines.
  • Shikitega abuse reputable cloud providers to retailer a few of its command and management servers (C&C).

Shikitega

Determine 1. Shikitega operation course of.

Background

With an increase of almost 650% in malware and ransomware for Linux this yr, reaching an all-time excessive within the first half yr of 2022, risk actors discover servers, endpoints and IoT units based mostly on Linux working methods increasingly invaluable and discover new methods to ship their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers quickly incorporate  not too long ago found vulnerabilities to search out new victims and improve their attain.

Shikitega makes use of an an infection chain in a number of layers, the place the primary one incorporates only some hundred bytes, and every module is answerable for a selected job, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence within the contaminated machine to downloading and executing a cryptominer.

Evaluation

The principle dropper of the malware is a really small ELF file, the place its complete dimension is round solely 370 bytes, whereas its precise code dimension is round 300 bytes. (determine 2)

Malicious ELF

Determine 2. Malicious ELF file with a complete of solely 376 bytes.

The malware makes use of the “Shikata Ga Nai” polymorphic XOR additive suggestions encoder, which is without doubt one of the hottest encoders utilized in Metasploit. Utilizing the encoder, the malware runs by a number of decode loops, the place one loop decodes the following layer, till the ultimate shellcode payload is decoded and executed. The encoder stud is generated based mostly on dynamic instruction substitution and dynamic block ordering. As well as, registers are chosen dynamically.  Under we are able to see how the encoder decrypts the primary two loops: (figures 3 and 4)

Shikitega decryption

Determine 3. First “Shikata Ga Nai” decryption loop.

Shikata decryption 2

Determine 4. Second “Shikata Ga Nai” decryption loop created by the primary one.

After a number of decryption loops, the ultimate payload shellcode will probably be decrypted and executed. Because the malware doesn’t use any imports, it makes use of ‘int 0x80’ to execute the suitable syscall. As the primary dropper code could be very small, the malware will obtain and execute extra instructions from its command and management by calling 102 syscall (sys_socketcall). (Determine 5)

Interrupts

Determine 5. Calling system capabilities utilizing interrupts

The C&C will reply with extra shell instructions to execute, as seen within the packet seize in determine 6. The primary bytes marked in blue are the shell instructions that the malware will execute.

CnC commands

Determine 6. Extra instructions acquired from C&C.

The acquired command will obtain extra information from the server that received’t be saved within the onerous drive, however reasonably will probably be executed from reminiscence solely. (Determine 7)

Shikitega shell code

Determine 7. Executes extra shell code acquired from C&C.

In different malware variations, it’s going to use the “execve” syscall to execute ‘/bin/sh’ with command acquired from the C&C. (determine 8)

Syscall

Determine 8. Executing shell instructions by utilizing syscall_execve.

The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that permits the attacker to make use of a variety of assaults from webcam management, sniffer, a number of reverse shells (tcp/http..), course of management, execute shell instructions and extra. 

As well as the malware will use wget to obtain and execute the following stage dropper.

Subsequent stage dropper

The subsequent downloaded and executed file is an extra small ELF file (round 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will probably be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell. (Determine 9)

decrypt 2

Determine 9. Second stage dropper decrypts and executes shell instructions.

The executed shell command will obtain and execute extra information. To execute the following and final stage dropper, it’s going to exploit two linux vulnerabilities to leverage privileges – CVE-2021-4034 and CVE-2021-3493 (determine 10 and 11).

exploit linux vuln

Determine 10. Exploiting Linux vulnerability CVE-2021-3493.

exploit second linux vuln

Determine 11. Exploiting CVE-2021-4034 vulnerability.

The malware will leverage the exploit to obtain and execute the ultimate stage with root privileges – persistence and cryptominer payload.

Persistence

To realize persistence, the malware will obtain and execute a complete of 5 shell scripts. It persists within the system by setting 4 crontabs, two for the present logged in consumer and the opposite two for the consumer root. It’ll first verify if the crontab command exists on the machine, and if not, the malware will set up it and begin the crontab service.

To verify just one occasion is operating, it’s going to use the flock command with a lock file “/var/tmp/vm.lock”.

flock command

Determine 12. Including root crontab to execute the ultimate payload.

Under is the record of downloaded and executed script to realize persistence:

script title

particulars

unix.sh

Verify if “crontab” instructions exist within the system, if not set up it and begin the crontab service.

brict.sh

Provides crontab for present consumer to execute cryptominer.

politrict.sh

Provides root crontab to execute cryptominer.

truct.sh

Provides crontab for present consumer to obtain cryptominer and config from C&C.

limit.sh

Provides root crontab to obtain cryptominer and config from C&C.

 

Because the malware persists with crontabs, it’s going to delete all downloaded information from the system to cover its presence.

Cryptominer payload

The malware downloads and executes XMRig miner, a well-liked miner for the Monero cryptocurrency. It’ll additionally set a crontab to obtain and execute the crypto miner and config from the C&C as talked about within the persistence half above.

XMRig

Determine 13. XMRig miner is downloaded and executed on an contaminated machine.

Command and management

Shikitega makes use of cloud options to host a few of its command and management servers (C&C) as proven by OTX in determine 14. Because the malware in some circumstances contacts the command and management server utilizing straight the IP with out area title, it’s tough to supply a whole record of indicators for detections since they’re unstable and they are going to be used for reputable functions in a brief time frame.

CnC on legit host

Determine 14. Command and management server hosted on a reputable cloud internet hosting service.

Beneficial actions

  1. Preserve software program updated with safety updates.
  2. Set up Antivirus and/or EDR in all endpoints.
  3. Use a backup system to backup server information.

Conclusion

Menace actors proceed to seek for methods to ship malware in new methods to remain underneath the radar and keep away from detection. Shiketega malware is delivered in a complicated means, it makes use of a polymorphic encoder, and it regularly delivers its payload the place every step reveals solely a part of the whole payload. As well as, the malware abuses recognized internet hosting providers to host its command and management servers. Keep secure!

Related Indicators (IOCs)

The next technical indicators are related to the reported intelligence. A listing of indicators can be obtainable within the OTX Pulse. Please be aware, the heartbeat might embody different actions associated however out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

DOMAIN

sprint[.]cloudflare.ovh

Command and management

DOMAIN

principal[.]cloudfronts.web

Command and management

SHA256

b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331

Malware hash

SHA256

0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed

Malware hash

SHA256

f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb

Malware hash

SHA256

8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732

Malware hash

SHA256

d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374

Malware hash

SHA256

fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765

Malware hash

SHA256

e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d

Malware hash

SHA256

cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d

Malware hash

SHA256

d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8

Malware hash

SHA256

29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8

Malware hash

SHA256

4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7

Malware hash

SHA256

130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5

Malware hash

SHA256

3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098

Malware hash

SHA256

6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275

Malware hash

SHA256

7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad

Malware hash

SHA256

2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab

Malware hash CVE-2021-3493

SHA256

4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f

Malware hash CVE-2021-4034

SHA256

e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4

Malware hash

SHA256

64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4

Malware shell script

SHA256

623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955

Malware shell script

SHA256

59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af

Malware shell script

SHA256

9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338

Malware shell script

SHA256

05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464

Malware shell script

SHA256

ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d

Malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the next MITRE ATT&CK Matrix methods:

  • TA0002: Execution
    • T1059: Command and Scripting Interpreter
    • T1569: System Service
      • T1569.002: Service Execution
  • TA0003: Persistence
    • T1543: Create or Modify System Course of
  • TA0005: Protection Evasion
    • T1027: Obfuscated Information or Info

About the author

admin

Leave a Comment