The Reptile rootkit is a malicious software package that provides root-level access to a machine while concealing its presence.
In South Korea, threat actors target Linux systems using an open-source rootkit called Reptile.
The AhnLab Security Emergency Response Center (ASEC) published a report this week stating that Reptile goes further than other rootkit malware, which typically only provides concealment capabilities. Reptile offers a reverse shell, allowing threat actors to access systems quickly.
The Reptile rootkit is a malicious software package that provides root-level access to a machine while concealing its presence. Since 2022, at least four different campaigns have deployed Reptile.
The port knocking technique involves the malware opening a specific port on an infected system and then going on standby. When the threat actor sends a magic packet to the system, the received packet establishes contact with the command and control server.
Trend Micro first recorded use of the rootkit in May 2022 in connection with an intrusion set identified as Earth Berberoka (aka GamblingPuppet). In attacks targeting Chinese gambling sites, the malware was used to hide connections and processes associated with a cross-platform Python Trojan known as the Pupy RAT.
During March 2023, a suspected China-linked threat actor named UNC3886 utilized Reptile in conjunction with zero-day vulnerabilities in Fortinet appliances to attack several organizations. At that time, a Chinese hacking group was also discovered to be using Reptile-based Linux malware called Melofee. Furthermore, in June 2023, a cryptojacking operation discovered by Microsoft utilized a shell script backdoor to download Reptile, obfuscating the contents, files, and child processes.
As a result of the analysis of Reptile, it is evident that a loader called kmatryoshka is used to decrypt and load the kernel module of the rootkit into memory. The attacker sends a magic packet via TCP, UDP, or ICMP protocols when the malware has been loaded. Once the magic packet is received, it contains the address of the command and control server and connects to it through a reverse shell.
Another rootkit named Syslogk also uses magic packets to activate malicious activities. A local attack using Reptile was also reported in South Korea, which exhibited similar behaviour to Mélofée.
Besides concealing files, directories, processes, and network communications, Reptile also exposes systems to potential hijacking by threat actors.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?