Friday, May 2, 2025
Homecyber securityKiteshield Packer is Being Abused by Linux Cyber Threat Actors

Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

Published on

SIEM as a Service

Follow Us on Google News

Researchers analyzed a batch of suspicious ELF files with low antivirus detection rates, which used anti-debugging techniques, obfuscation, and encryption, suggesting a sophisticated attacker. 

The files turned out to be known malware packed with Kiteshield. This packer evading detection is crucial because it shows that various cybercriminals are using Kiteshield, and antivirus engines need to be improved to detect Kiteshield-packed malware.  

ELF files packed with Kiteshield contain
ELF files packed with Kiteshield contain

Kiteshield Packer encrypts and protects ELF binaries on Linux, and injects a loader that decrypts the packed binary in user space using RC4. 

- Advertisement - Google News

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The loader searches for a specific signature in the binary to identify itself and uses a hidden key within the file to perform decryption, which is obfuscated by XORing it with the loader code itself, making unauthorized decryption difficult. 

Only functions currently on the call stack are decrypted at runtime using a ptrace-based engine, further hindering analysis. 

Rc4 key
Rc4 key

Kiteshield, a Linux packer, employs anti-debugging techniques to hinder analysis.

The loader checks for debuggers by inspecting the process status and attempting to prevent memory dumps. 

It also obfuscates strings using a single-byte XOR with a key that varies based on character position.

Encrypted strings within the loader include file paths used for further checks and environment variable names employed to disable debugging tools. 

The provided Python code demonstrates how to decrypt these strings based on the XOR logic, allowing for some understanding of the packed binary’s behavior. 

code snippets, used for decrypting strings
code snippets, used for decrypting strings

It describes an unpacking method for Kiteshield-packed ELF files, which involves identifying a specific YARA rule signature and then using a Python script to parse the file. 

The script utilizes the Crypto.Cipher.ARC4 library to decrypt the packed payload using a key extracted from the file itself, while the unpacked version of the ELF file is then written to a new file, highlighting the effectiveness of Kiteshield’s evasion techniques, noting that most antivirus engines only provide generic detections. 

comparison of detection rates before and after unpacking Kiteshield-packed ELF files
comparison of detection rates before and after unpacking Kiteshield-packed ELF files

Researchers at Xlab analyzed three unpacked malware samples, where the first (MD5: 951fe6ce076aab5ca94da020a14a8e1c) is a Winnti APT userland rootkit detected by most antivirus software. 

The second (MD5: a42249e86867526c09d78c79ae26191d) is a dropper by the previously unknown cybercrime group amdc6766, which targets IT software vulnerabilities and injects malicious code for persistence, and 

The third one, with the MD5 code 5c9887c51a0f633e3d2af54f788da525, is a script for the Gafgyt botnet that antivirus software partially discovered

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...