Researchers at AT&T Alien Labs have discovered a new piece of malware utilizing extensive obfuscation techniques in order to evade detection. The initial infection method is still unknown. Shikitega is delivered using a multi-stage method that results in a cryptomining application being installed, along with a lightweight version of Metasploit’s Meterpreter called “Mettle.” During the infection chain, Shikitega abuses 2 vulnerabilities (CVE-2021-4034 and CVE-2021-3493) to escalate privileges on the victim host.
Shikitega uses the very popular “Shikata Ga Nai” polymorphic XOR additive feedback encoder to dynamically encode the malware, making reverse engineering difficult and signature-based detection extremely difficult. The final payload is downloaded from the threat actors command and control (C2) servers and executed in memory.
The payload that is downloaded from the threat actors C2 is the popular and open-source XMRig (version 6.17.0), a cryptomining program used by many threat actors. In this case, XMRig is set to mine Monero which is known for its anonymity.