This fearsome new Linux malware will send a shudder down the spines of IT professionals

By Scott Marlette Last updated Sep 13, 2022

A brand new Linux malware (opens in new tab) strain capable of different kinds of nasties has been detected, capable of abusing legitimate cloud services to stay hidden in plain sight.

Cybersecurity researchers from AT&T Alien Labs recently discovered (opens in new tab) the malware and named it Shikitega. It comes with a super tiny dropper (376 bytes), using a polymorphic encoder that gradually drops the payload. That means that the malware will download and execute one module at a time, making sure it stays hidden and persistent.

The command & control (C2) server for the malware is hosted on a “known hosting service”, making it stealthier, it was said.

Abusing PwnKit

The researchers aren’t absolutely certain what the malware’s authors were trying to achieve.

Shikitega is quite potent, as it can run on all kinds of Linux (opens in new tab) devices, and allows threat actors to control the webcam on the target endpoint (opens in new tab), as well as steal credentials. On the other hand, it’s also capable of running XMRig, a known cryptojacker that mines the Monero cryptocurrency for the attackers. One can only speculate that the XMRig was added to make use of compromised devices that have no sensitive data to be stolen.

The malware relies on two vulnerabilities, both patched months ago, to compromise the devices and achieve persistence. One is PwnKit (CVE-2021-4034), one of the more infamous vulnerabilities that went undetected for some 12 years, before finally being spotted and fixed earlier this year. The other one is CVE-2021-3493, discovered and patched more than a year ago (in April 2021).

While there’s a fix for both these holes, the researchers are saying, many IT administrators are yet to apply them, especially when it comes to Internet of Things (IoT) devices.

The researchers don’t yet know who the authors are, and are suggesting all Linux admins to keep their software up to date, install an antivirus (opens in new tab) and/or EDR on all endpoints, and make sure they back up their server files.

Via: Ars Technica (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.