HQ/EMEAFind out how we can help your business
An unidentified Chinese-backed advanced persistent threat group has utilised the newly discovered Mélofée Linux malware. The researchers found three samples of the previously undocumented malicious tool last year.
One of the three samples could launch a kernel-mode rootkit from an open-source project called Reptile. The researchers also added that the software is a kernel version 5.10.112-108.499.amzn 2.x86_64, a rootkit with a limited set of capabilities. One of the confirmed abilities is the hook installation for malware obfuscation.
Analysts believe that the threat actors deployed the implant and the rootkit through shell commands that download an installer and a specially crafted binary package from an attacker-controlled server.
In addition, the installer takes the binary package as an argument and retrieves the rootkit and server implant module. This module is currently in a developmental stage.
The Mélofée malware contains standard capabilities that a legal backdoor possesses.
According to investigations, the Mélofée malware has features like common backdoors. The malware has standard backdoor capabilities such as creating sockets, launching a shell, and running arbitrary commands.
Additionally, the malware could contact a remote server and retrieve additional commands from its operators.
Experts claimed that the malware could have originated from China since its infrastructure overlaps with notorious cybercriminal groups, such as GamblingPuppet and Winnti.
The Earth Berberoka group could also have ties with the recent malware as the current target of the Linux malware are gambling websites in China. On the other hand, the Pupy RAT developers could have also developed the Mélofée malware since the former uses the Reptile rootkit for obfuscation.
Researchers have also discovered another implant called AlienReverse. This implant is like the Mélofée and exploits publicly accessible tools like socks_proxy and EarthWorm.
Cybersecurity experts stated that the Mélofée Linux malware is an additional weapon to an already packed Chinese cybercriminal arsenal. This new malware implies that China-based hackers constantly create new malicious tools for their attacks.
Therefore, organisations should always adopt competent security tools to mitigate such threats’ effects.
