shikitega-malware

Analysis

On 6th Sept 2022, AT&T Alien Labs published a blog on their newly discovered malware named Shikitega actively targeting endpoint devices running on Linux operating systems.

The size of malware is 370 bytes, after the malware drop into a machine the encoded payload is decoded several times, as the main code is small the malware downloads additional commands from its C&C server, and the received commands download additional files from the server, then the malware downloads ‘mettle’ a Metasploit meterpreter which allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells and execute shell commands.

The malware executes a shell command which downloads additional files, and it exploits CVE-2021-3493, CVE-2021-4034 two vulnerabilities for the least privileges then it executes the final stage with root privileges, for persistence the malware downloads and executes a total of five shell scripts, it persists in the system by setting four crontabs, after that the malware deletes the downloaded files as it persists with crontabs, it then downloads and executes cryptocurrency miner XMRig miner.

 

Prevention

  • Keep the system software up to date with security updates.
  • Use Antivirus or EDR in all endpoints.
  • Take regular backups of end devices to reduce the impact of any kind of malware attacks.

 

Detection

Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.

 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1059

Command and Scripting

Interpreter
Execution T1569

System service- T1569.002:

Service Execution
Persistence T1543

Create or Modify System

Process
Defense Evasion T1027

Obfuscated Files or

Information

 

Indicators of Compromise (IOCs)

Type Indicator Description
DOMAIN dash[.]cloudflare.ovh Command and control
DOMAIN main[.]cloudfronts.net Command and control
SHA256

b9db845097bbf1d2e3b2c0a4a7ca93b0dc8

0a8c9e8dbbc3d09ef77590c13d331

 Malware hash
SHA256

0233dcf6417ab33b48e7b54878893800d26

8b9b6e5ca6ad852693174226e3bed

 Malware hash
SHA256

f7f105c0c669771daa6b469de9f995966477

59d9dd16d0620be90005992128eb

 Malware hash
SHA256

8462d0d14c4186978715ad5fa90cbb679c8f

f7995bcefa6f9e11b16e5ad63732

 Malware hash
SHA256

d318e9f2086c3cf2a258e275f9c63929b456

0744a504ced68622b2e0b3f56374

 Malware hash
SHA256

fc97a8992fa2fe3fd98afddcd03f2fc8f1502d

d679a32d1348a9ed5b208c4765

 Malware hash
SHA256

e4a58509fea52a4917007b1cd1a87050b01

09b50210c5d00e08ece1871af084d

 Malware hash
SHA256

cbdd24ff70a363c1ec89708367e141ea2c14

1479cc4e3881dcd989eec859135d

 Malware hash
SHA256

d5bd2b6b86ce14fbad5442a0211d4cb1d56

b6c75f0b3d78ad8b8dd82483ff4f8

 Malware hash
SHA256

29aafbfd93c96b37866a89841752f29b55ba

dba386840355b682b1853efafcb8

 Malware hash
SHA256

4ed78c4e90ca692f05189b80ce150f6337d2

37aaa846e0adf7d8097fcebacfe7

 Malware hash
SHA256

130888cb6930500cf65fc43522e2836d2152

9cab9291c8073873ad7a90c1fbc5

 Malware hash
SHA256

3ce8dfaedb3e87b2f0ad59e1c47b9b6791b9

9796d38edc3a72286f4b4e5dc098

 Malware hash
SHA256

6b514e9a30cbb4d6691dd0ebdeec73762a4

88884eb0f67f8594e07d356e3d275

 Malware hash
SHA256

7c70716a66db674e56f6e791fb73f6ce62ca

1ddd8b8a51c74fc7a4ae6ad1b3ad

 Malware hash
SHA256

2b305939d1069c7490b3539e2855ed7538c

1a83eb2baca53e50e7ce1b3a165ab

Malware hash CVE-2021-

3493

 
SHA256

4dcae1bddfc3e2cb98eae84e86fb58ec14ea

6ef00778ac5974c4ec526d3da31f

Malware hash CVE-2021-

4034

 
SHA256

e8e90f02705ecec9e73e3016b8b8fe915873

ed0add87923bf4840831f807a4b4

 Malware hash
SHA256

64a31abd82af27487985a0c0f47946295b12

5e6d128819d1cbd0f6b62a95d6c4

 Malware shell script
SHA256

623e7ad399c10f0025fba333a170887d0107

bead29b60b07f5e93d26c9124955

 Malware shell script
SHA256

59f0b03a9ccf8402e6392e07af29e2cfa1f08

c0fc862825408dea6d00e3d91af

 Malware shell script
SHA256

9ca4fbfa2018fe334ca8f6519f1305c7fbe795

af9eb62e9f58f09e858aab7338

 Malware shell script
SHA256

05727581a43c61c5b71d959d0390d31985d

7e3530c998194670a8d60e953e464

 Malware shell script
SHA256

ea7d79f0ddb431684f63a901afc596af24898

555200fc14cc2616e42ab95ea5d

 Malware hash

 

References

AT&T BUSINESS

# Managed Security Services

Recent Threat Bulletin

A report on Jenkins CVE-2024-23897 vulnerability
Ivanti Zero-Day Vulnerabilities: Connect Secure and IPS
Unmasking Androxgh0st: A deep dive to safeguard your network

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

logo-img

Positka specializes in high-end technology solutions to help businesses improve their IT infrastructure with advanced Security Protocols, excellence in Analytics, Streamlined IT Operations, & around-the-clock Managed services.

Quick Links

Services

Copyright Positka © . All Rights Reserved.