By downloading the payload bit by bit – starting with a module that is just a few hundred bytes – Shikitega can avoid being uncovered by anti-virus software. It also uses a polymorphic encoder to make it more difficult to detect.
Researchers also note that those behind Shikitega appear to abuse legitimate cloud services to host some of their command-and-control servers.
The initial method of infection is still unknown, but the malware gradually downloads more and more modules to provide full functionality, starting with the initial dropper, then going through several stages – including downloading Mettle, a Metasploit offensive security tool, which allows the attacker to deploy a wide range of attacks.
These include taking control of webcams, taking control of processes, executing shell commands, and more. The ability to run shell commands provides the attackers with the ability to further exploit the system – and it appears that this is what they're focused on for now.
The malware downloads and executes further modules that exploit vulnerabilities in Linux, which can be used to achieve persistence and control of the compromised system.
The vulnerabilities are CVE-2021-3493, a validation issue in the Linux kernel that allows attackers to gain elevated privileges, and CVE-2021-4034, a high-severity memory corruption vulnerability in polkit, which is installed by default in Linux distributions.
By exploiting these vulnerabilities, the malware is able to download and execute the final stage of the payload with root privileges, providing the ability to fully control the system.
This final stage of the attack downloads crypto-mining malware, which allows the attackers to exploit the power of infected machines to secretly mine for cryptocurrency – at no cost to themselves. While this appears to be the focus of the attacks for now, the amount of control Shikitega gains over systems means it could be used for more damaging attacks in the future.
"Threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads," said Ofer Caspi, malware researcher at Alien Labs.
"Shikitega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload," he added.