Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

May 29, 2024, 11:30 a.m.

Description

This analysis uncovers the use of Kiteshield packer by various cybercriminal groups to evade detection on Linux platforms. The researchers reverse-engineered samples from APT group Winnti, cybercrime group DarkMosquito, and a script kiddie operation, revealing Kiteshield's anti-debugging techniques, string obfuscation, and encryption methods. Despite the initial excitement over potentially novel threats, the findings highlight cybercriminals adopting Kiteshield to bypass antivirus detection. The report emphasizes the need for improved detection capabilities against this packer as Linux malware continues evolving.

Date

Published: May 29, 2024, 10:38 a.m.

Created: May 29, 2024, 10:38 a.m.

Modified: May 29, 2024, 11:30 a.m.

Indicators

kiteshield

aa3a6610c795e5741b27e614161f930b1bdab0852f3600d813f4acb3eaa40cf4

d1100b60d45fac34867b8b0330798a7bcbc05ec10394bd95f5876e0eab154c8f

31eebd590a227389318364061f9b0f0fcaa6fcc1a566dde61fd044bac56aa355

Attack Patterns

Backdoor:Linux/Winnti

Gafgyt

amdc6766

Winnti

T1027.004

T1569.002

T1564.003

T1027.002

T1059.001

T1059.007

T1071.001

T1562.001

T1543.001

T1027