A new piece of malware targeted targeting Linux systems has been connected to an unidentified Chinese state-sponsored hacking gang. ExaTrack, a French cybersecurity company, discovered three instances of the previously reported dangerous software in early 2022 and gave it the name Mélofée. One of the artifacts is made to unload a kernel-mode rootkit that is based on the Reptile open-source project.
“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64,” said the company in a report. “The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.”
It is claimed that the installer and a unique binary package are downloaded from a remote server via shell instructions that are used to deliver both the implant and the rootkit. The rootkit and an active server implant module are both extracted by the installer when it receives the binary package as input.
The capabilities of Mélofée, which let it communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, run a shell, and issue arbitrary commands, are identical to those of other backdoors of its sort. Infrastructure similarities with organizations like APT41 (also known as Winnti) and Earth Berberoka (also known as GamblingPuppet) give the malware its connections to China.
Since at least 2020, a state-sponsored entity known as Earth Berberoka has mostly targeted gambling websites in China with multi-platform malware including HelloBot and Pupy RAT. Some samples of the Python-based Pupy RAT have been hidden using the Reptile rootkit, claims Trend Micro. Another implant with the codename AlienReverse that uses publicly accessible technologies like EarthWorm and socks_proxy and has similarities to Mélofée was also found by ExaTrack.
The company claimed that the Mélofée implant family is yet another weapon in the toolbox of Chinese state-sponsored attackers, which exhibits continual innovation and improvement. Although Mélofée’s capabilities are straightforward, they might allow opponents to carry out covert operations. The fact that these implants were not frequently observed indicates that the attackers are probably only using them on high-value targets.