New Shikitega Malware Targeting Linux Servers & Internet-of-Things (IoT) Devices

Published on 13 Sep 2022

Updated on 13 Sep 2022

A new Linux malware, dubbed Shikitega, is reportedly targeting both traditional servers and smaller Internet-of-Things (IoT) devices. It avoids detection by gradually delivering partial payloads with multiple decoding loops and having its command-and-control (C2) servers hosted on legitimate cloud services.

Shikitega has been observed to create a list of commands to be executed at a specified time to achieve persistence while remaining hidden. One such instance is the exploitation of two known privilege escalation Linux vulnerabilities, CVE-2021-4034 and CVE-2021-3493, to download, install, and execute a cryptominer with root privileges, before removing all downloaded files at a predetermined time. On top of that, Shikitega also downloads a Metasploit package, Mettle, which could potentially grant an attacker additional capabilities, including webcam control, credential stealing and multiple reverse shells.

Administrators and users are advised to promptly update their software/firmware whenever updates are released. Should you suspect your device to be infected, you may wish to perform an antivirus scan using an updated anti-malware application. In the case of suspected infection in an IoT device, the firmware may have to first be extracted before an anti-virus scan can be performed on the contents of the extracted file system. Possible indicators of compromise (IOCs) associated with Shikitega are shown in the table below:

IOCs derived from AT&T report
DOMAIN dash[.]cloudflare[.]ovh Command and control
DOMAIN main[.]cloudfronts[.]net Command and control
SHA256 b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331 Malware hash
SHA256 0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed Malware hash
SHA256 f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb Malware hash
SHA256 8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732 Malware hash
SHA256 d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374 Malware hash
SHA256 fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765 Malware hash
SHA256 e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d Malware hash
SHA256 cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d Malware hash
SHA256 d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8 Malware hash
SHA256 29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8 Malware hash
SHA256 4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7 Malware hash
SHA256 130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5 Malware hash
SHA256 3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098 Malware hash
SHA256 6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275 Malware hash
SHA256 7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad Malware hash
SHA256 2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab Malware hash CVE-2021-3493
SHA256 4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f Malware hash CVE-2021-4034
SHA256 e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4 Malware hash
SHA256 64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4 Malware shell script
SHA256 623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955 Malware shell script
SHA256 59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af Malware shell script
SHA256 9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338 Malware shell script
SHA256 05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464 Malware shell script
SHA256 ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d Malware hash

More information is available here: