Researchers from AT&T’s Alien Labs have detected malware that targets endpoints and Internet of Things (IoT) devices running Linux. The malware, which is being called “Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.” Shikitega could be exploited to take control of vulnerable devices and to install persistent cryptomining malware.
- These more subtle attacks easily hide in the noise created by all the Mirai and similar bots flooding Linux devices. Remember that the important attacks are the one-offs, not the top 10 attacks shown by your console.
- When you read Linux, don’t just think of your servers or desktops, remember that many IoT devices are running Linux, with very limited built-in security measures to deploy. Shikitega is delivered in a very stealthy way and leverages legitimate hosting services for C2 functions. Incorporate the IOCs from the Alien Lab report. The best mitigations are to keep your devices updated, deploy EDR, and have backups. While you can’t deploy EDR to most IoT devices, you can isolate them as much as possible, make sure they are getting updated and where possible export the configuration to make service restoration simpler.
[Updated on 15 September 2022] Fresh Linux malware infecting servers and IoT devices
This new strain was revealed last week that’s notable for “stealth and sophistication” in infecting both traditional servers and smaller Internet-of-things devices. The malware has been dubbed Shikitega by the AT&T Alien Labs researchers who discovered it. The malware is delivered through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command-and-control servers, making detection extremely difficult.