Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

Researchers analyzed a batch of suspicious ELF files with low antivirus detection rates, which used anti-debugging techniques, obfuscation, and encryption, suggesting a sophisticated attacker. 

The files turned out to be known malware packed with Kiteshield. This packer evading detection is crucial because it shows that various cybercriminals are using Kiteshield, and antivirus engines need to be improved to detect Kiteshield-packed malware.  

ELF files packed with Kiteshield contain

Kiteshield Packer encrypts and protects ELF binaries on Linux, and injects a loader that decrypts the packed binary in user space using RC4. 

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The loader searches for a specific signature in the binary to identify itself and uses a hidden key within the file to perform decryption, which is obfuscated by XORing it with the loader code itself, making unauthorized decryption difficult. 

Only functions currently on the call stack are decrypted at runtime using a ptrace-based engine, further hindering analysis. 

Rc4 key
Rc4 key

Kiteshield, a Linux packer, employs anti-debugging techniques to hinder analysis.

The loader checks for debuggers by inspecting the process status and attempting to prevent memory dumps. 

It also obfuscates strings using a single-byte XOR with a key that varies based on character position.

Encrypted strings within the loader include file paths used for further checks and environment variable names employed to disable debugging tools. 

The provided Python code demonstrates how to decrypt these strings based on the XOR logic, allowing for some understanding of the packed binary’s behavior. 

code snippets, used for decrypting strings
code snippets, used for decrypting strings

It describes an unpacking method for Kiteshield-packed ELF files, which involves identifying a specific YARA rule signature and then using a Python script to parse the file. 

The script utilizes the Crypto.Cipher.ARC4 library to decrypt the packed payload using a key extracted from the file itself, while the unpacked version of the ELF file is then written to a new file, highlighting the effectiveness of Kiteshield’s evasion techniques, noting that most antivirus engines only provide generic detections. 

comparison of detection rates before and after unpacking Kiteshield-packed ELF files
comparison of detection rates before and after unpacking Kiteshield-packed ELF files

Researchers at Xlab analyzed three unpacked malware samples, where the first (MD5: 951fe6ce076aab5ca94da020a14a8e1c) is a Winnti APT userland rootkit detected by most antivirus software. 

The second (MD5: a42249e86867526c09d78c79ae26191d) is a dropper by the previously unknown cybercrime group amdc6766, which targets IT software vulnerabilities and injects malicious code for persistence, and 

The third one, with the MD5 code 5c9887c51a0f633e3d2af54f788da525, is a script for the Gafgyt botnet that antivirus software partially discovered. 

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Source link