News

Threat actors have been leveraging an open-source rootkit known as Reptile to attack Linux systems in South Korea. Unlike other rootkit malware, Reptile offers a reverse shell, enabling threat actors to gain control over the targeted systems. This was revealed in a recent report by AhnLab Security Emergency Response Center (ASEC).

The malware utilizes a technique called port knocking, wherein it opens a specific port on the infected system and waits for a magic packet from the threat actor. Once the magic packet is received, a connection with the command-and-control (C&C) server is established. Rootkits are malicious programs designed to provide unauthorized root-level access to a machine while hiding their presence. The Reptile rootkit has been utilized in at least four different campaigns since 2022.

Reptile was initially discovered by Trend Micro in May 2022, when it was associated with an intrusion set named Earth Berberoka. It was used to conceal connections and processes related to the Pupy RAT, a cross-platform Python trojan. Another attack was detailed by Mandiant (owned by Google) in March 2023, in which a China-linked threat actor employed zero-day vulnerabilities in Fortinet appliances to deploy custom implants, including Reptile.

Chinese hacking group Mélofée also utilized a version of Reptile, as revealed by ExaTrack in March 2023. Lastly, Microsoft uncovered a cryptojacking operation in June 2023 that utilized a shell script backdoor to download Reptile in order to obfuscate its processes and files.

Reptile operates by using a loader that employs the kmatryoshka tool to decrypt and load the rootkit’s kernel module into memory. Afterward, it opens a specific port and waits for the magic packet from the attacker, which contains the C&C server address. A reverse shell then connects to the C&C server.

Interestingly, the use of magic packets to activate malicious activities was previously observed in another rootkit called Syslogk. The South Korean cybersecurity firm detected an attack case involving Reptile in the country, which shared tactical similarities with Mélofée.

Reptile poses a considerable threat to systems with its concealment features for files, directories, processes, and network communications. Additionally, its reverse shell functionality leaves systems susceptible to hijacking by threat actors.

The post Threat Actors Exploit Reptile Rootkit to Target Linux Systems in South Korea appeared first on satProviders.