Shikitega Malware Targets Linux Devices
Researchers from AT&T’s Alien Labs have detected malware that targets endpoints and Internet of Things (IoT) devices running Linux. The malware, which is being called “Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.” Shikitega could be exploited to take control of vulnerable devices and to install persistent cryptomining malware.
These more subtle attacks easily hide in the noise created by all the Mirai and similar bots flooding Linux devices. Remember that the important attacks are the one-offs, not the top 10 attacks shown by your console.
When you read Linux, don’t just think of your servers or desktops, remember that many IoT devices are running Linux, with very limited built-in security measures to deploy. Shikitega is delivered in a very stealthy way and leverages legitimate hosting services for C2 functions. Incorporate the IOCs from the Alien Lab report. The best mitigations are to keep your devices updated, deploy EDR, and have backups. While you can’t deploy EDR to most IoT devices, you can isolate them as much as possible, make sure they are getting updated and where possible export the configuration to make service restoration simpler.