Description
This analysis uncovers the use of Kiteshield packer by various cybercriminal groups to evade detection on Linux platforms. The researchers reverse-engineered samples from APT group Winnti, cybercrime group DarkMosquito, and a script kiddie operation, revealing Kiteshield's anti-debugging techniques, string obfuscation, and encryption methods. Despite the initial excitement over potentially novel threats, the findings highlight cybercriminals adopting Kiteshield to bypass antivirus detection. The report emphasizes the need for improved detection capabilities against this packer as Linux malware continues evolving.
Date
| Published | Created | Modified |
|---|---|---|
| May 29, 2024, 10:38 a.m. | May 29, 2024, 10:38 a.m. | May 29, 2024, 11:30 a.m. |
Indicators
kiteshield
aa3a6610c795e5741b27e614161f930b1bdab0852f3600d813f4acb3eaa40cf4
d1100b60d45fac34867b8b0330798a7bcbc05ec10394bd95f5876e0eab154c8f
31eebd590a227389318364061f9b0f0fcaa6fcc1a566dde61fd044bac56aa355
Attack Patterns
Backdoor:Linux/Winnti
Gafgyt
amdc6766
Winnti
T1027.004
T1569.002
T1564.003
T1027.002
T1059.001
T1059.007
T1071.001
T1562.001
T1543.001
T1027