Cyber Security News

New Malware Dubbed Mélofée Attacking Linux Servers

ExaTrack found a new undetected implant family called Mélofée that targets Linux systems. Three samples of the previously known malicious software, dating from the beginning of 2022, were found by analysts.

Chinese state-sponsored APT groups, including the notorious Winnti group, are related to the malware. 

Capabilities of Mélofée

Researchers analyzed this malware family’s capabilities, including a kernel-mode rootkit, and then went deep through an infrastructure pivot maze to find similar adversary toolkits.

One of the artefacts is to drop a kernel-mode rootkit based on the Reptile, open source project.

“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself”, researchers.

Also, the implant and rootkit were installed using shell commands that downloaded the installer and a custom binary package from an adversary-controlled server.

The installer is written in C++ as well and accepts the binary package as an argument. Following that, the rootkit and the server component are extracted and installed.

The capabilities of Mélofée let it communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, launch a shell, and execute arbitrary commands.

The packet formats used by Mélofée:

The following tools are connected to the infrastructure for the Mélofée implants:

  • Cyber Threat Intelligence tracked some of the servers as ShadowPad C&C servers;
  • Other servers were linked to both Winnti and HelloBot tools;
  • Identified related domains used as C&C servers for tools like PlugX, Spark9, Cobalt Strike, StowAway 10, and the legitimate toDesk remote control tool;
  • Lastly, the attacker also probably used the ezXSS 11 tool, but researchers could not confirm why.

Researchers found the malware family HelloBot, which similarly targets Linux hosts, is known to be employed by APT groups like Earth Berberoka. 

From at least 2020, a state-sponsored actor known as Earth Berberoka has mostly targeted gambling websites in China with multi-platform malware, including HelloBot and Pupy RAT.

“We assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state sponsored attacker groups during at least all of 2022”, researchers.

Another implant with the codename AlienReverse that uses publically available tools like EarthWorm and socks_proxy and has similarities to Mélofée was also found by ExaTrack.

“The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant innovation and development,” researchers.

“The capabilities offered by Mélofée are relatively simple but may enable adversaries to conduct their attacks under the radar.”

Moreover, these implants were not frequently observed, indicating that the attacker probably only uses them on high-value targets.

Are You a Pentester? –

Related Read:

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

2 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

4 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

6 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

6 hours ago

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA)…

6 hours ago

CISA Warns of Hackers Exploiting OS Command Injection Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have…

1 day ago