Linux systems in South Korea targeted by Reptile rootkit

By
August 24, 2023
Linux OS Systems South Korea Target Reptile Rootkit Malware

The open-source Reptile rootkit currently targets South Korean entities that run on the Linux operating system. Based on reports, the new open-source rootkit could execute various malicious capabilities, such as obfuscating itself, reverse shell, and efficiently accessing a targeted system.

However, the essential feature of Reptile is Port Knocking, a strategy involving malware opening a particular port on a compromised system and entering standby mode.

Researchers explained that the rootkit’s feature is the basis for establishing a connection with the command-and-control server once a threat actor sends a Magic Packet to the targeted system.

 

Reptile rootkit operators adopt a loader for their attack process.

 

The Reptile rootkit campaign uses a loader to decrypt the rootkit and load its kernel module into the system’s memory. Subsequently, the kernel module then accesses a designated port and waits for further commands from the attacker.

Additionally, the rootkit utilises a Linux kernel feature that hooks the KHOOK engine to run its operations. Some researchers also believe the new open-source rootkit is similar to the Adore-ng-based rootkit called Syslogk.

Currently, the Reptile campaign targets companies in South Korea. Researchers also claimed that the majority of its users are Chinese threat actors.

The new Reptile rootkit poses a significant threat since its software bundle provides its operators unauthorised access at the root level while keeping its operations obfuscated. There have been about four distinct instances of Reptile that have spread across many OS since last year.

Furthermore, Reptile’s source-code availability makes it easily accessible to different threat actors. Hence, it could appear in various cybercriminal operations globally.

Cybersecurity experts stated that Reptile is one of several Linux kernel-mode rootkits that could hide files, processes, directories, and network communications. Rootkits commonly combine with other malware to create more complex campaigns.

However, Reptile separates itself from other generic rootkits since it could offer a reverse shell capability that comprises its targeted system making it susceptible to further hacks.

Linux users should regularly review systems for vulnerable configurations and ensure relevant software is up to date to protect against potential attacks and counter rootkits’ threats.

About the author

Leave a Reply