A team of researchers from the cyber security firm AT&T Alien Labs has uncovered a new Linux malware with increased stealth and proficiency that infects existing servers and small Internet of Things devices. The research team described the threat, including a mechanism by which the malware, known as Sikitega, is difficult to detect.
According to the research team, there are two main reasons why shikitega is difficult to detect. First, it is a polymorphic malware that encrypts itself with a different encryption key each time it is infected. This makes it impossible to detect a known virus using pattern matching, which matches suspected infected files. In addition, it is said that it becomes difficult to identify the source because it hosts the C2 server, which is a foothold through the abuse of regular cloud services.
The main dropper that Shikitega creates and drops files containing malware is a small, 376-byte executable. The first simple module presented is encoded by a combination of a multi-stage infection chain where each link downloads and executes the next link in response to a part of the previous link. In use, the use of polymorphic encoders makes it difficult to identify the details of malware.
The Shikitega C2 server responds with a shell command that causes the target computer to execute program operations. In this way, since the command is executed in the PC memory, detection by PC antivirus protection becomes difficult, and the stealth property is further enhanced.
The purpose of Shikitega as a malware is not clear, but one of its purposes is to send software to mine cryptocurrencies. However, in addition, webcam control and credential theft occur at the same time, and there is concern that mining is not the only function of the malware but has other end goals.
The research team reports that Linux malware is on the rise from 2022, and recommends that system administrators apply security updates as they become available and regularly back up their most important data using EDR, which continuously monitors all endpoints for threats. Relevant information can be found here.