Researchers at AT&T Alien Labs have discovered a new piece of malware utilizing extensive obfuscation techniques in order to evade detection. The initial infection method is still unknown. Shikitega is delivered using a multi-stage method that results in a cryptomining application being installed, along with a lightweight version of Metasploit’s Meterpreter called “Mettle.” During the infection chain, Shikitega abuses 2 vulnerabilities (CVE-2021-4034 and CVE-2021-3493) to escalate privileges on the victim host.
Shikitega uses the very popular “Shikata Ga Nai” polymorphic XOR additive feedback encoder to dynamically encode the malware, making reverse engineering difficult and signature-based detection extremely difficult. The final payload is downloaded from the threat actors command and control (C2) servers and executed in memory.
The payload that is downloaded from the threat actors C2 is the popular and open-source XMRig (version 6.17.0), a cryptomining program used by many threat actors. In this case, XMRig is set to mine Monero which is known for its anonymity.
Analyst Notes
In an uncommon move, the threat actor uses reputable commercial cloud providers for their C2 infrastructure. This choice by the threat actor has both benefits and draw backs. From the network security perspective, seeing traffic to and from a legitimate cloud services provider is quite common and frequent in modern computing. However, there are drawbacks. Using a legitimate cloud provider, especially based in the US, raises the risk of being tracked down by law enforcement and typically costs more.
To ensure that the cryptominer continues to run, the threat actor creates 5 separate cronjobs that will restart the program should it ever be stopped. If crontab is not installed, Shikitega will install it. These cron jobs provide a persistence mechanism, and are also used to update configuration files for the mining software.
In regards to cryptomining threats, a strong service monitoring infrastructure can be very useful in detecting sudden spikes in resource usage often associated with cryptomining. Monitoring products such as Icinga2 or Nagios can provide alerts based on irregular CPU usage and can also send data into a graphing/visualization stack like InfluxDB with Grafana for a visual layout of system resources at any given time; such solutions can assist in immediate detection of irregular CPU usage.
https://www.bleepingcomputer.com/news/security/new-linux-malware-evades-detection-using-multi-stage-deployment/