Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

May 29, 2024, 11:30 a.m.

Description

This analysis uncovers the use of Kiteshield packer by various cybercriminal groups to evade detection on Linux platforms. The researchers reverse-engineered samples from APT group Winnti, cybercrime group DarkMosquito, and a script kiddie operation, revealing Kiteshield's anti-debugging techniques, string obfuscation, and encryption methods. Despite the initial excitement over potentially novel threats, the findings highlight cybercriminals adopting Kiteshield to bypass antivirus detection. The report emphasizes the need for improved detection capabilities against this packer as Linux malware continues evolving.

External References

https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/
https://otx.alienvault.com/pulse/665705a16c3afa3a170b92f6
Tags
linux
2024-05-29
gafgyt
winnti
packer

Date

  • Created: May 29, 2024, 10:38 a.m.
  • Published: May 29, 2024, 10:38 a.m.
  • Modified: May 29, 2024, 11:30 a.m.

Indicators

  • kiteshield
  • aa3a6610c795e5741b27e614161f930b1bdab0852f3600d813f4acb3eaa40cf4
  • d1100b60d45fac34867b8b0330798a7bcbc05ec10394bd95f5876e0eab154c8f
  • 31eebd590a227389318364061f9b0f0fcaa6fcc1a566dde61fd044bac56aa355
Download all indicators here!

Attack Patterns

  • Backdoor:Linux/Winnti
  • Gafgyt
  • amdc6766
  • Winnti