In South Korea, Linux systems are under attack by threat actors utilizing an open-source rootkit named Reptile. According to a recent report by ASEC, Reptile stands out from other rootkit malware as it offers more than just the ability to hide itself; it also includes a reverse shell feature, enabling attackers to swiftly access targeted systems.
Diving into details
The standout feature among the functionalities supported by Reptile is Port Knocking. This technique involves the malware opening a particular port on an infected system and entering standby mode.
- Once a threat actor sends a Magic Packet to the system, it serves as the basis for establishing a connection with the C2 server.
- Reptile utilizes a loader (which is a kernel module packed using the open-source tool called kmatryoshka) to decrypt the rootkit and load its kernel module into memory. This kernel module then opens a designated port and waits for communications from the attacker.
- The rootkit makes use of a Linux kernel function hooking engine called KHOOK to execute its operations.
- It shares similarities with Syslogk, based on Adore-Ng rootkit.
Furthermore, Reptile was used in attacks against companies in South Korea and has majorly been used by Chinese threat actors.
Why this matters
- The Reptile rootkit is a dangerous software package that grants unauthorized access at the root level, while simultaneously keeping its existence hidden. Since 2022, there have been at least four distinct instances of Reptile being deployed in various campaigns.
- The availability of Reptile's open-source code makes it easily accessible to different threat actors, who can employ it for their purposes.
- Moreover, threat actors have the option to customize the rootkit for future attacks and combine it with other types of malware to enhance their malicious activities.
Latest campaign
- In April, researchers disclosed a campaign that utilized the Mélofée malware along with the Reptile rootkit. This campaign was attributed to the China-linked cyberespionage group known as Winnti.
- Furthermore, Mandiant highlighted a campaign conducted by a China-linked APT group that involved the usage of the Reptile rootkit and the exploitation of a zero-day vulnerability (CVE-2022-41328) in Fortinet products.
The bottom line
Reptile is a Linux kernel-mode rootkit malware designed to conceal files, directories, processes, and network communications. Typically, rootkits are combined with other malware for more extensive attacks. However, Reptile stands out by offering a reverse shell, making systems containing Reptile vulnerable to potential hijacking by threat actors. To counter these security threats, it is crucial to regularly inspect systems for vulnerable configurations and ensure all relevant software is up to date to guard against potential attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7dfa_shutterstock_2010567164.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f3ab_shutterstock_640377106.jpg)
