An unidentified Chinese government-sponsored hacking group is linked to new malware targeting Linux servers.
French cybersecurity firm ExaTrack discovered and dubbed three previously documented samples of malicious software dating back to early 2022. Clefairy.
One of the artifacts is designed to drop a kernel-mode rootkit based on an open source project called Reptile.
“According to vermagic metadata, it was compiled for kernel version 5.10.112-108.499.amzn2.x86_64,” the company said in a report. “Rootkits have a limited set of functions, mostly installing hooks designed to hide themselves.”
Both implants and rootkits are said to be deployed using shell commands that download installers and custom binary packages from remote servers.
The installer takes a binary package as an argument and extracts the rootkit and server implant modules currently in development.
Mélofée’s functionality is similar to that of other backdoors of its kind: it can connect to remote servers and receive instructions that allow it to perform file operations, create sockets, launch shells, and execute arbitrary commands. can.
The malware’s connection to China stems from its infrastructure overlaps with groups such as APT41 (aka Winnti) and Earth Berberoka (aka GamblingPuppet).
Earth Berberoka is the name given to state-sponsored actors who have primarily targeted Chinese gambling websites since at least 2020, using multi-platform malware such as HelloBot and Pupy RAT.
According to Trend Micro, some of the Python-based Pupy RAT samples are hidden using the Reptile rootkit.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
ExaTrack also discovered another implant codenamed AlienReverse. It is similar in code to Mélofée and makes use of public tools such as EarthWorm and socks_proxy.
“The Mélofée implant family is another tool in the Chinese government-backed attacker’s arsenal that demonstrates constant innovation and development,” the company said.
“While the functionality provided by Mélofée is relatively simple, it has the potential to allow adversaries to carry out attacks under the radar. It indicates that it is likely to limit to
