The malware may be linked to another state-sponsored APT group called Earth Berberoka (or GamblingPuppet), which mainly targets gambling websites in China.
ExaTrack, a cybersecurity company based in France, recently discovered the innovative malware it named Mélofée. This malware specifically targets Linux servers and is believed to be operated by an anonymous Chinese state-sponsored APT group.
The researchers have linked this malware to the notorious Winnti group with high confidence. “We linked with high confidence this malware to Chinese state-sponsored APT groups, in particular the notorious Winnti group,” researchers said in a blog post.
Mélofée Malware Activity
The malware’s capabilities include a kernel-mode rootkit, which is based on an open source project called Reptile. The rootkit has limited capabilities as it mainly installs a hook that it has been designed to remain hidden.
This malware by using shell commands, the implant and rootkit can be deployed on a system. This process downloads an installer with a custom binary package from a remote server. This binary package extracts the rootkit and a server implant module, which is currently under active development.
The malware is capable of establishing a connection to a remote server and receiving commands to carry out different operations, launch a shell, create sockets, and execute arbitrary commands.
The company discovered two samples in which one was identified as 20220111 and 20220308 respectively, while the other had an estimated date ranging from April to May 2022.
IOCs
Filenames
/etc/intel_audio/etc/intel_audio/id/etc/intel_audio/intel_audio.ko
| SHA256 | FileType | Comment |
|---|---|---|
3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3d | Text file | Installation commands |
758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0 | ELF x64 executable | Installer |
a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a | ELF x64 executable | Implant version 20220111 |
2db4adf44b446cdd1989cbc139e67c068716fb76a460654791eef7a959627009 | ELF x64 executable | Implant version 20220308 |
8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7 | ELF x64 executable | Implant with rootkit and without version number |
f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68 | Binary file | Container of rootkit and implant probably used for installation |
330a61fa666001be55db9e6f286e29cce4af7f79c6ae267975c19605a2146a21 | PE x64 executable | Cobalt Strike beacon |
7149cdb130e1a52862168856eae01791cc3d9632287f990d90da0cce1dc7c6b9 | PE32 executable | Cobalt Strike beacon |
a62b67596640a3ebadd288e733f933ff581cc1822d6871351d82bd7472655bb5 | ELF x64 executable | StowAway proxy tool |
3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88 | ELF x64 executable | AlienReverse implant |
2e62d6c47c00458da9338c990b095594eceb3994bf96812c329f8326041208e8 | ELF x32 executable | HelloBot implant |
407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200f0462b8 | ELF x32 executable | HelloBot implant |
187b6a4c6bc379c183657d8eafc225da53ab8f78ac192704b713cc202cf89a17 | ELF x32 executable | HelloBot implant |
2801a3cc5aed8ecb391a9638a3c6f8db58ca3002e66f11bf88f8c7c2e5a6b009 | ELF x32 executable | HelloBot implant |
6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2f517bc3aa745a0 | PE x64 executable | Go downloader for toDesk |
7684e1dfaeb2e7c8fd1c9bd65041b705bc92a87d9e11e327309f6c21b5e7ad97 | PE x64 executable | Go downloader for toDesk |
899ef7681982941b233e1ea3c1a6d5a4e90153bbb2809f70ee5f6fcece06cabc | PE x64 executable | Spark implant |
c36ab5108491f4969512f4d35e0d42b3d371033c8ccf03e700c60fb98d5a95f8 | ELF x64 | UPX Packed executable (probably NPS, to confirm) |
ad5bc6c4e653f88c451f6f6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8 | ASCII text file | Script dropped in /etc/rc.modules for rootkit persistance |
1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9 | ELF x64 executable | Winnti Linux |
22fd67457274635db7dd679782e002009363010db66523973b4748d5778b1a2a | ELF x64 executable | Winnti Linux |
3c1842d29a3445bd3b85be486e49dba36b8b5ad55841c0ce00630cb83386881d | ELF x64 executable | Winnti Linux |
5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743 | ELF x64 executable | Winnti Linux rootkit |
378acfdbcec039cfe7287faac184adf6ad525b201cf781db9082b784c9c75c99 | Shell script | Winnti Linux rootkit installer |
617f9add4c27f3bb91a32fee007cce01f5a51deaf42e75e6cec3e71afe2ba967 | ELF x64 executable | Winnti Linux |
69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd | ELF x64 executable | Winnti Linux |
ad979716afbce85776251d51716aeb00665118fb350038d150c129256dd6fc5f | ELF x64 executable | Winnti Linux |
f49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3fb78749bdd281 | ELF x64 executable | Winnti Linux |
2c1a6fe08c8cbdc904809be4c12b520888da7f33123d1656a268780a9be45e20 | ELF x64 executable | Winnti Linux rootkit (Azazel fork) |
a37661830859ca440d777af0bfa829b01d276bb1f81fe14b1485fa3c09f5f286 | JavaScript file | ezXSS payload |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment