This fearsome new Linux malware will send a shudder down the spines of IT professionals
A brand new Linux malware (opens in new tab) strain capable of different kinds of nasties has been detected, capable of abusing legitimate cloud services to stay hidden in plain sight.
Cybersecurity researchers from AT&T Alien Labs recently discovered (opens in new tab) the malware and named it Shikitega. It comes with a super tiny dropper (376 bytes), using a polymorphic encoder that gradually drops the payload. That means that the malware will download and execute one module at a time, making sure it stays hidden and persistent.
The command & control (C2) server for the malware is hosted on a “known hosting service”, making it stealthier, it was said.
Abusing PwnKit
The researchers aren’t absolutely certain what the malware’s authors were trying to achieve.
Shikitega is quite potent, as it can run on all kinds of Linux (opens in new tab) devices, and allows threat actors to control the webcam on the target endpoint (opens in new tab), as well as steal credentials. On the other hand, it’s also capable of running XMRig, a known cryptojacker that mines the Monero cryptocurrency for the attackers. One can only speculate that the XMRig was added to make use of compromised devices that have no sensitive data to be stolen.
The malware relies on two vulnerabilities, both patched months ago, to compromise the devices and achieve persistence. One is PwnKit (CVE-2021-4034), one of the more infamous vulnerabilities that went undetected for some 12 years, before finally being spotted and fixed earlier this year. The other one is CVE-2021-3493, discovered and patched more than a year ago (in April 2021).
While there’s a fix for both these holes, the researchers are saying, many IT administrators are yet to apply them, especially when it comes to Internet of Things (IoT) devices.
The researchers don’t yet know who the authors are, and are suggesting all Linux admins to keep their software up to date, install an antivirus (opens in new tab) and/or EDR on all endpoints, and make sure they back up their server files.
Via: Ars Technica (opens in new tab)
Audio player loading… A brand new Linux malware (opens in new tab) strain capable of different kinds of nasties has been detected, capable of abusing legitimate cloud services to stay hidden in plain sight. Cybersecurity researchers from AT&T Alien Labs recently discovered (opens in new tab) the malware and named…
