New parts of malware Linux a hidden device called Shikitega has been found to adopt a multi-stage chain of infection to compromise end points, IoT devices and deposit additional payloads. The findings add to the growing list of Linux malware discovered in recent months. Including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework. Once deployed on the targeted host, the attack chain downloads and executes Metasploit's "Mettle" meterpreter. To maximize control, exploit vulnerabilities to escalate its privileges, add persistence to the host through crontab, and finally launch a cryptocurrency miner. On infected devices.

     Shikitega has the ability to download next-stage payloads from a command-and-control (C2) server and execute them directly in memory. Malware operators use "Shikata ga nai" polymorphic encoders to make them harder to detect by antivirus engines and abuse legitimate cloud services for C2 functionality.

     Shikitega also points to the tendency of malicious actors to expand the reach of their attacks to accommodate Linux operating systems that are widely used in cloud platforms and servers around the world.

     The emergence of this new Linux ransomware family is directly related to a 75% increase in ransomware attacks targeting Linux systems. In the first half of 2022 compared to the first half of 2021. Threat actors are constantly looking for ways to deliver malware in new ways to stay under the radar and evade detection.