Shikitega: New Malware Program Targeting Linux
Usually, Linux malware targets servers and cloud instances. You know, where there’s big-time CPU horsepower to turn to cryptocurrency mining. Shikitega, however, likes to go for the low-hanging fruit of desktops and IoT devices. Of course, it will happily attack servers as well. Like all malware, it’s an equal opportunity attacker.
According to AT&T Alien Labs, which discovered it, Shikitega comes in a multistage infection chain. The infection starts with a tiny (370 bytes) Executable and Linkable Format (ELF) file. In case you’ve forgotten, or you never knew, never ever download an unknown ELF file. It’s just asking for trouble.
Of course, you may not even know there’s such a minute file hiding inside a larger package. So, just like with Windows, be sure you know what’s in every package and where it came from before installing it.
Then, once in place, another module is downloaded, executed, and then downloads and executes the next one, and so on. Besides bringing in the next, each module has its own specific task. These include downloading and executing the Metasploit meterpreter, hunting down and exploiting Linux vulnerabilities, and setting persistence in the infected machine. It does this last part by trying to run shell programs to set up four crontabs: Two for the currently logged-in user and the other two for root. If you don’t have crontab installed, it will attempt to install and start the crontab service.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24987916/Mark_Zuckerberg_Meta_AI_assistant.jpg)
