Rekoobe, a backdoor malware, specifically targets vulnerable Linux servers commonly utilized by the Chinese APT31.
Rekoobe Malware
Since 2015, Rekoobe has remained active, and in 2018, updated versions of the malware were employed to target Linux servers due to its compatibility with architectures such as x86, x64, and SPARC.
In its latest article, the National Emergency Response Center (ASEC) disseminated multiple variants of Rekoobe and compiled comprehensive information about the malware, which has been employed in attacks aimed at domestic companies.
The majority of the targets comprise outdated Linux servers or systems with inadequate configurations, making them susceptible to supply chain attacks.
Rekoobe Variant Analysis:
MD5: 8921942fb40a4d417700cfe37cce1ce7
Command and Control (C&C) server: resolv.ctmailer[.]net:80 (103.140.186.32)
Download address: hxxp://103.140.186[.]32/mails
Rekoobe, developed utilizing the open-source code Tiny shell, employs the strcpy() function to modify the process name dynamically while the program is running, thereby posing challenges for user recognition.
Moreover, it lacks any command line options to obtain the C&C server address or password.
First, data of size 0x28 is received from the C&C server, then split into two 0x14 bytes and used as IV when initializing the HMAC SHA1 environment.
During the initialization process, a hard-coded password string “0p;/9ol.” is also used. except for an IV, which is every 0x14 bytes received.
The generated HMAC SHA1 values are AES-128 keys, which are used to encrypt and decrypt data in transit to and from the C&C server, respectively.
Furthermore, the C&C sends 0x10 bytes of data for integrity verification, which is decoded using the previously mentioned AES-128 key and undergoes an XOR process.
Subsequently, the delivered data is utilized for integrity verification and must maintain a consistent value of 0x10 bytes.
Another version of Rekoobe includes a bind shell that opens a port and waits for connections from the C&C server. This functionality is supported by Tiny Shell.
It is suspected that Rekoobe has a separate builder. While a random password string is occasionally used, it is common to come across the default string “replace with your password.”
The attacker employs distinct malicious code for each attack. While passwords vary with each attack, the data utilized for integrity verification mostly consists of the hexadecimal sequence “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” in the source code.
To safeguard against security threats, it is essential to consistently update the relevant systems with the latest versions to fortify them against potential attacks.
Indicator of compromise
– 7851833a0cc3482993aac2692ff41635
– 03a87253a8fac6d91d19ea3b47e2ca6c
– 5f2e72ff741c4544f66fec16101aeaf0
– 8921942fb40a4d417700cfe37 cce1ce7
Leave A Comment