Shikitega – New stealthy malware targeting Linux

With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads.
New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach.

Shikitega uses an infection chain in multiple layers, where the first one contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.

The main dropper of the malware is a very small ELF file, where its total size is around only 370 bytes, while its actual code size is around 300 bytes.

The malware uses the “Shikata Ga Nai” polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit.
Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.
The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering.
In addition, registers are selected dynamically.

After several decryption loops, the final payload shellcode will be decrypted and executed.
As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall.
As the main dropper code is very small, the malware will download and execute additional commands from its command and control by calling 102 syscall (sys_socketcall).

The C&C will respond with additional shell commands to execute.
The first bytes marked in blue are the shell commands that the malware will execute.

The received command will download additional files from the server that won’t be stored in the hard drive, but rather will be executed from memory only.

In other malware versions, it will use the “execve” syscall to execute ‘/bin/sh’ with command received from the C&C.

The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells (tcp/http..), process control, execute shell commands and more.

In addition the malware will use wget to download and execute the next stage dropper.