Friday, October 4, 2024
Homecyber securityKiteshield Packer is Being Abused by Linux Cyber Threat Actors

Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

Published on

Researchers analyzed a batch of suspicious ELF files with low antivirus detection rates, which used anti-debugging techniques, obfuscation, and encryption, suggesting a sophisticated attacker. 

The files turned out to be known malware packed with Kiteshield. This packer evading detection is crucial because it shows that various cybercriminals are using Kiteshield, and antivirus engines need to be improved to detect Kiteshield-packed malware.  

ELF files packed with Kiteshield contain
ELF files packed with Kiteshield contain

Kiteshield Packer encrypts and protects ELF binaries on Linux, and injects a loader that decrypts the packed binary in user space using RC4. 

- Advertisement - EHA

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The loader searches for a specific signature in the binary to identify itself and uses a hidden key within the file to perform decryption, which is obfuscated by XORing it with the loader code itself, making unauthorized decryption difficult. 

Only functions currently on the call stack are decrypted at runtime using a ptrace-based engine, further hindering analysis. 

Rc4 key
Rc4 key

Kiteshield, a Linux packer, employs anti-debugging techniques to hinder analysis.

The loader checks for debuggers by inspecting the process status and attempting to prevent memory dumps. 

It also obfuscates strings using a single-byte XOR with a key that varies based on character position.

Encrypted strings within the loader include file paths used for further checks and environment variable names employed to disable debugging tools. 

The provided Python code demonstrates how to decrypt these strings based on the XOR logic, allowing for some understanding of the packed binary’s behavior. 

code snippets, used for decrypting strings
code snippets, used for decrypting strings

It describes an unpacking method for Kiteshield-packed ELF files, which involves identifying a specific YARA rule signature and then using a Python script to parse the file. 

The script utilizes the Crypto.Cipher.ARC4 library to decrypt the packed payload using a key extracted from the file itself, while the unpacked version of the ELF file is then written to a new file, highlighting the effectiveness of Kiteshield’s evasion techniques, noting that most antivirus engines only provide generic detections. 

comparison of detection rates before and after unpacking Kiteshield-packed ELF files
comparison of detection rates before and after unpacking Kiteshield-packed ELF files

Researchers at Xlab analyzed three unpacked malware samples, where the first (MD5: 951fe6ce076aab5ca94da020a14a8e1c) is a Winnti APT userland rootkit detected by most antivirus software. 

The second (MD5: a42249e86867526c09d78c79ae26191d) is a dropper by the previously unknown cybercrime group amdc6766, which targets IT software vulnerabilities and injects malicious code for persistence, and 

The third one, with the MD5 code 5c9887c51a0f633e3d2af54f788da525, is a script for the Gafgyt botnet that antivirus software partially discovered. 

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...