Cyber Security News

New Malware Dubbed Mélofée Attacking Linux Servers

ExaTrack found a new undetected implant family called Mélofée that targets Linux systems. Three samples of the previously known malicious software, dating from the beginning of 2022, were found by analysts.

Chinese state-sponsored APT groups, including the notorious Winnti group, are related to the malware. 

Capabilities of Mélofée

Researchers analyzed this malware family’s capabilities, including a kernel-mode rootkit, and then went deep through an infrastructure pivot maze to find similar adversary toolkits.

One of the artefacts is to drop a kernel-mode rootkit based on the Reptile, open source project.

“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself”, researchers.

Also, the implant and rootkit were installed using shell commands that downloaded the installer and a custom binary package from an adversary-controlled server.

The installer is written in C++ as well and accepts the binary package as an argument. Following that, the rootkit and the server component are extracted and installed.

The capabilities of Mélofée let it communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, launch a shell, and execute arbitrary commands.

The packet formats used by Mélofée:

The following tools are connected to the infrastructure for the Mélofée implants:

  • Cyber Threat Intelligence tracked some of the servers as ShadowPad C&C servers;
  • Other servers were linked to both Winnti and HelloBot tools;
  • Identified related domains used as C&C servers for tools like PlugX, Spark9, Cobalt Strike, StowAway 10, and the legitimate toDesk remote control tool;
  • Lastly, the attacker also probably used the ezXSS 11 tool, but researchers could not confirm why.

Researchers found the malware family HelloBot, which similarly targets Linux hosts, is known to be employed by APT groups like Earth Berberoka. 

From at least 2020, a state-sponsored actor known as Earth Berberoka has mostly targeted gambling websites in China with multi-platform malware, including HelloBot and Pupy RAT.

“We assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state sponsored attacker groups during at least all of 2022”, researchers.

Another implant with the codename AlienReverse that uses publically available tools like EarthWorm and socks_proxy and has similarities to Mélofée was also found by ExaTrack.

“The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant innovation and development,” researchers.

“The capabilities offered by Mélofée are relatively simple but may enable adversaries to conduct their attacks under the radar.”

Moreover, these implants were not frequently observed, indicating that the attacker probably only uses them on high-value targets.

Are You a Pentester? – Try Free Automated API Penetration Testing

Related Read:


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

Google Revealed RETVec to Defend Malicious Emails & Spam for Gmail Users

The text-to-dense representation techniques vary, evolving from character bi-grams to advanced subword vectorizers, combating OOV…

1 day ago

New Android Malware FjordPhantom Spreads Covertly Via Email, SMS, & Messaging Apps

In the ever-evolving realm of cybersecurity, Promon, a trailblazer in mobile security solutions, has brought…

2 days ago

New SugarGh0st RAT Delivered via Malicious Windows Shortcut & JavaScript

Hackers use Remote Access Trojans (RATs) to gain unauthorized access and control over a victim's…

2 days ago

Black Basta Ransomware Received Over $100 Million From Victims

Black Basta, the fourth-most active ransomware strain with more than 329 victims, has reportedly made…

2 days ago

Notepad++ Input Validation Flaws Leads to uncontrolled Search Path Vulnerability

Notepad++ has been discovered with an uncontrolled search path vulnerability, which could allow threat actors…

2 days ago

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

3 days ago