New Shikitega malware for Linux seizes full control of infected system

A new Shikitega malware can take full control of infected Linux systems, including Internet of Things (IoT) devices, security researchers at AT&T's Alien Labs reported.

It is not yet known exactly how the program gets into the systems, but code analysis has revealed a multi-step chain of infection: different modules of the program load each other as a sequential chain.

To gain full control of an infected system, the program uses the Mettle interpreter, which the attackers can use to gain access to webcam control, sniffers, process control and more.

Shikitega hosts some of its command and control (C&C) servers on perfectly legitimate cloud services, and uses Shikata Ga Nai's polymorphic payload encoder to avoid detection by anti-viruses.

The malware uses two known Linux vulnerabilities, CVE-2021-4034 and CVE-2021-3493, to hijack the system. By doing so, Shikitega captures its last payload, latches onto the infected device and launches a malicious Monero crypto-mining tool.

To reduce the risk of system infection, AT&T Alien Labs experts advise installing all security patches in a timely manner, keeping backups of servers and using malware protection software on all devices.

Malware targeting Linux increased by 75% in the first half of 2022 compared to last year.