Saturday, June 15, 2024

Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

Researchers analyzed a batch of suspicious ELF files with low antivirus detection rates, which used anti-debugging techniques, obfuscation, and encryption, suggesting a sophisticated attacker. 

The files turned out to be known malware packed with Kiteshield. This packer evading detection is crucial because it shows that various cybercriminals are using Kiteshield, and antivirus engines need to be improved to detect Kiteshield-packed malware.  

ELF files packed with Kiteshield contain
ELF files packed with Kiteshield contain

Kiteshield Packer encrypts and protects ELF binaries on Linux, and injects a loader that decrypts the packed binary in user space using RC4. 

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The loader searches for a specific signature in the binary to identify itself and uses a hidden key within the file to perform decryption, which is obfuscated by XORing it with the loader code itself, making unauthorized decryption difficult. 

Only functions currently on the call stack are decrypted at runtime using a ptrace-based engine, further hindering analysis. 

Rc4 key
Rc4 key

Kiteshield, a Linux packer, employs anti-debugging techniques to hinder analysis.

The loader checks for debuggers by inspecting the process status and attempting to prevent memory dumps. 

It also obfuscates strings using a single-byte XOR with a key that varies based on character position.

Encrypted strings within the loader include file paths used for further checks and environment variable names employed to disable debugging tools. 

The provided Python code demonstrates how to decrypt these strings based on the XOR logic, allowing for some understanding of the packed binary’s behavior. 

code snippets, used for decrypting strings
code snippets, used for decrypting strings

It describes an unpacking method for Kiteshield-packed ELF files, which involves identifying a specific YARA rule signature and then using a Python script to parse the file. 

The script utilizes the Crypto.Cipher.ARC4 library to decrypt the packed payload using a key extracted from the file itself, while the unpacked version of the ELF file is then written to a new file, highlighting the effectiveness of Kiteshield’s evasion techniques, noting that most antivirus engines only provide generic detections. 

comparison of detection rates before and after unpacking Kiteshield-packed ELF files
comparison of detection rates before and after unpacking Kiteshield-packed ELF files

Researchers at Xlab analyzed three unpacked malware samples, where the first (MD5: 951fe6ce076aab5ca94da020a14a8e1c) is a Winnti APT userland rootkit detected by most antivirus software. 

The second (MD5: a42249e86867526c09d78c79ae26191d) is a dropper by the previously unknown cybercrime group amdc6766, which targets IT software vulnerabilities and injects malicious code for persistence, and 

The third one, with the MD5 code 5c9887c51a0f633e3d2af54f788da525, is a script for the Gafgyt botnet that antivirus software partially discovered

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.



Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles