A team of researchers from cybersecurity firm AT&T Alien Labs has revealed a new Linux malware with superior stealth and proficiency that infects both existing servers and small Internet of Things devices. The research team described the threat, including a mechanism by which the malware, dubbed Sikitega, is difficult to detect.
According to the research team, there are mainly two reasons why shikitega is difficult to detect. First, it is a polymorphic malware that encrypts itself with a different encryption key each time it is infected. This makes it impossible to detect a known virus using pattern matching, which matches a file with a suspected infection. In addition, it is said that it is becoming difficult to identify the source because it hosts the C2 server, which is a foothold by abusing regular cloud services.
The main dropper that Shikitega creates and drops files containing malware is a small, 376-byte executable. The first simple module delivered is encoded by a combination of multi-level infection chains, where each link downloads and executes the next link in response to part of the previous link. When deploying, using polymorphic encoders makes it difficult to pinpoint malware details.
The Shikitega C2 server responds with a shell command that causes the target computer to perform program operations. In this way, since the command is executed in the PC memory, it is difficult to detect by PC antivirus protection, and the stealth property is further improved.
The purpose of Shikitega as a malware is not clear, but one of its purposes is to send software to mine cryptocurrencies. However, in addition, webcam control and credential theft are taking place at the same time, and there is concern that mining is not the only function of the malware, but has other end goals.
The research team reports that Linux malware is on the rise from 2022, and recommends that system administrators make regular backups of their most important data using EDR, which applies available security updates and continuously monitors all endpoints for threats. Related content this placecan be checked in