Analysis
On 6th Sept 2022, AT&T Alien Labs published a blog on their newly discovered malware named Shikitega actively targeting endpoint devices running on Linux operating systems.
The size of malware is 370 bytes, after the malware drop into a machine the encoded payload is decoded several times, as the main code is small the malware downloads additional commands from its C&C server, and the received commands download additional files from the server, then the malware downloads ‘mettle’ a Metasploit meterpreter which allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells and execute shell commands.
The malware executes a shell command which downloads additional files, and it exploits CVE-2021-3493, CVE-2021-4034 two vulnerabilities for the least privileges then it executes the final stage with root privileges, for persistence the malware downloads and executes a total of five shell scripts, it persists in the system by setting four crontabs, after that the malware deletes the downloaded files as it persists with crontabs, it then downloads and executes cryptocurrency miner XMRig miner.
Prevention
- Keep the system software up to date with security updates.
- Use Antivirus or EDR in all endpoints.
- Take regular backups of end devices to reduce the impact of any kind of malware attacks.
Detection
Create rules based on known indicators of malware in the SIEM (Security incident event management) tool for the detection of malware.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1059 |
Command and Scripting Interpreter |
Execution | T1569 |
System service- T1569.002: Service Execution |
Persistence | T1543 |
Create or Modify System Process |
Defense Evasion | T1027 |
Obfuscated Files or Information |
Indicators of Compromise (IOCs)
Type | Indicator | Description |
DOMAIN | dash[.]cloudflare.ovh | Command and control |
DOMAIN | main[.]cloudfronts.net | Command and control |
SHA256 |
b9db845097bbf1d2e3b2c0a4a7ca93b0dc8 0a8c9e8dbbc3d09ef77590c13d331 |
Malware hash |
SHA256 |
0233dcf6417ab33b48e7b54878893800d26 8b9b6e5ca6ad852693174226e3bed |
Malware hash |
SHA256 |
f7f105c0c669771daa6b469de9f995966477 59d9dd16d0620be90005992128eb |
Malware hash |
SHA256 |
8462d0d14c4186978715ad5fa90cbb679c8f f7995bcefa6f9e11b16e5ad63732 |
Malware hash |
SHA256 |
d318e9f2086c3cf2a258e275f9c63929b456 0744a504ced68622b2e0b3f56374 |
Malware hash |
SHA256 |
fc97a8992fa2fe3fd98afddcd03f2fc8f1502d d679a32d1348a9ed5b208c4765 |
Malware hash |
SHA256 |
e4a58509fea52a4917007b1cd1a87050b01 09b50210c5d00e08ece1871af084d |
Malware hash |
SHA256 |
cbdd24ff70a363c1ec89708367e141ea2c14 1479cc4e3881dcd989eec859135d |
Malware hash |
SHA256 |
d5bd2b6b86ce14fbad5442a0211d4cb1d56 b6c75f0b3d78ad8b8dd82483ff4f8 |
Malware hash |
SHA256 |
29aafbfd93c96b37866a89841752f29b55ba dba386840355b682b1853efafcb8 |
Malware hash |
SHA256 |
4ed78c4e90ca692f05189b80ce150f6337d2 37aaa846e0adf7d8097fcebacfe7 |
Malware hash |
SHA256 |
130888cb6930500cf65fc43522e2836d2152 9cab9291c8073873ad7a90c1fbc5 |
Malware hash |
SHA256 |
3ce8dfaedb3e87b2f0ad59e1c47b9b6791b9 9796d38edc3a72286f4b4e5dc098 |
Malware hash |
SHA256 |
6b514e9a30cbb4d6691dd0ebdeec73762a4 88884eb0f67f8594e07d356e3d275 |
Malware hash |
SHA256 |
7c70716a66db674e56f6e791fb73f6ce62ca 1ddd8b8a51c74fc7a4ae6ad1b3ad |
Malware hash |
SHA256 |
2b305939d1069c7490b3539e2855ed7538c 1a83eb2baca53e50e7ce1b3a165ab |
Malware hash CVE-2021- 3493
|
SHA256 |
4dcae1bddfc3e2cb98eae84e86fb58ec14ea 6ef00778ac5974c4ec526d3da31f |
Malware hash CVE-2021- 4034
|
SHA256 |
e8e90f02705ecec9e73e3016b8b8fe915873 ed0add87923bf4840831f807a4b4 |
Malware hash |
SHA256 |
64a31abd82af27487985a0c0f47946295b12 5e6d128819d1cbd0f6b62a95d6c4 |
Malware shell script |
SHA256 |
623e7ad399c10f0025fba333a170887d0107 bead29b60b07f5e93d26c9124955 |
Malware shell script |
SHA256 |
59f0b03a9ccf8402e6392e07af29e2cfa1f08 c0fc862825408dea6d00e3d91af |
Malware shell script |
SHA256 |
9ca4fbfa2018fe334ca8f6519f1305c7fbe795 af9eb62e9f58f09e858aab7338 |
Malware shell script |
SHA256 |
05727581a43c61c5b71d959d0390d31985d 7e3530c998194670a8d60e953e464 |
Malware shell script |
SHA256 |
ea7d79f0ddb431684f63a901afc596af24898 555200fc14cc2616e42ab95ea5d |
Malware hash |
References
AT&T BUSINESS