ExaTrack found a new undetected implant family called Mélofée that targets Linux systems. Three samples of the previously known malicious software, dating from the beginning of 2022, were found by analysts.
Chinese state-sponsored APT groups, including the notorious Winnti group, are related to the malware.
Researchers analyzed this malware family’s capabilities, including a kernel-mode rootkit, and then went deep through an infrastructure pivot maze to find similar adversary toolkits.
One of the artefacts is to drop a kernel-mode rootkit based on the Reptile, open source project.
“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself”, researchers.
Also, the implant and rootkit were installed using shell commands that downloaded the installer and a custom binary package from an adversary-controlled server.
The installer is written in C++ as well and accepts the binary package as an argument. Following that, the rootkit and the server component are extracted and installed.
The capabilities of Mélofée let it communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, launch a shell, and execute arbitrary commands.
The packet formats used by Mélofée:
The following tools are connected to the infrastructure for the Mélofée implants:
Researchers found the malware family HelloBot, which similarly targets Linux hosts, is known to be employed by APT groups like Earth Berberoka.
From at least 2020, a state-sponsored actor known as Earth Berberoka has mostly targeted gambling websites in China with multi-platform malware, including HelloBot and Pupy RAT.
“We assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state sponsored attacker groups during at least all of 2022”, researchers.
Another implant with the codename AlienReverse that uses publically available tools like EarthWorm and socks_proxy and has similarities to Mélofée was also found by ExaTrack.
“The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant innovation and development,” researchers.
“The capabilities offered by Mélofée are relatively simple but may enable adversaries to conduct their attacks under the radar.”
Moreover, these implants were not frequently observed, indicating that the attacker probably only uses them on high-value targets.
Are You a Pentester? – Try Free Automated API Penetration Testing
The text-to-dense representation techniques vary, evolving from character bi-grams to advanced subword vectorizers, combating OOV…
In the ever-evolving realm of cybersecurity, Promon, a trailblazer in mobile security solutions, has brought…
Hackers use Remote Access Trojans (RATs) to gain unauthorized access and control over a victim's…
Black Basta, the fourth-most active ransomware strain with more than 329 victims, has reportedly made…
Notepad++ has been discovered with an uncontrolled search path vulnerability, which could allow threat actors…
WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…