Rekoobe Malware Used by Chinese Hacker Group Attack Linux system

Rekoobe is a backdoor malware that targets vulnerable Linux servers known to be used by the Chinese APT31.

It’s been active since 2015, and in 2018 updated versions of Rekoobe were used to target Linux servers, as its architecture is x86, x64, and SPARC.

Emergency Response Center (ASEC) shares various Rekoobe variants and organizes Rekoobe malware used in attacks targeting domestic companies in its latest article.

Mostly targets obsolete Linux servers or are in service with inappropriate settings and also involved in supply chain attacks.

Analysis of the Rekoobe variant:

  • MD5: 8921942fb40a4d417700cfe37cce1ce7
  • C&C server: resolv.ctmailer[.]net:80 (103.140.186.32)
  • Download address: hxxp://103.140.186[.]32/mails

Rekoobe, built by open source code Tiny shell, utilizes strcpy() function to change the process name when running the program to make the users difficult to recognize.

It doesn’t have any command line option to receive the address or password of the C&C server.

Rekoobe generates an AES-128 key using the HMAC SHA1 algorithm and encrypts the communication data with the C&C server using the key.

Initially, data of size 0x28 is received from the C&C server, then it is divided into two 0x14 bytes and used as the IV when initializing the HMAC SHA1 context.

In the initialization process, a hard-coded password string “0p;/9ol.” is also used in addition to the IV, which is each 0x14 bytes received.

The generated HMAC SHA1 values ​​are AES-128 keys, which are used to encrypt and decrypt data received from the C&C server when transmitting data to the C&C server, respectively.

Additionally, data for integrity verification of 0x10 bytes is received from the C&C which is decoded with the AES-128 key set above, and through the XOR process.

The data to be delivered thereafter is used for integrity verification, and it is 0x10 bytes and must have the same value.

Once the integrity verification process is finished, the same integrity data of 0x10 bytes is transmitted to the C&C server. When sending data, it is encrypted and transmitted using the AES128 key created with the HMAC SHA1 value created above.

Finally, simple commands which are in one byte are executed for file upload, file download, and reverse shell.

Another sample of Rekoobe opens a port in the form of a bind shell and waits for the connection of the C&C server. This is because Tiny SHell supports both.

Rekoobe is presumed to have a separate builder. Although a random password string was used, “replace with your password,” which seems to be the default string, is often seen. 

The attacker employs different malicious code for each attack. Unlike passwords in which a different string is used every time, the data used for integrity verification is characterized by the fact that “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” is used for most of the source code.

Based on open source, Rekoobe could be utilized by other attackers besides the well-known Chinese attack group APT31 and cases of attacks against domestic systems are increased.

In order to prevent such security threats, always update the related systems to the latest versions to protect them from attacks. 

Indicator of compromise

– 7851833a0cc3482993aac2692ff41635
– 03a87253a8fac6d91d19ea3b47e2ca6c
– 5f2e72ff741c4544f66fec16101aeaf0
– 8921942fb40a4d417700cfe37 cce1ce7

“AI-based email security measures Protect your business From Email Threats!” – .

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.