U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Reptile Rootkit employed in attacks against Linux systems in South Korea

Researchers observed threat actors that are using an open-source rootkit called Reptile in attacks aimed at systems in South Korea. Reptile is an open-source kernel module rootkit that was designed to target Linux systems, unlike other rootkits, it also offers a reverse shell. The malware supports port knocking, it opens a specific port on an infected system […]

Reptile

Researchers observed threat actors that are using an open-source rootkit called Reptile in attacks aimed at systems in South Korea.

Reptile is an open-source kernel module rootkit that was designed to target Linux systems, unlike other rootkits, it also offers a reverse shell. The malware supports port knocking, it opens a specific port on an infected system and waits for a Magic Packet sent by the attackers to establish a C2 connection.

Reptile

Researchers from the AhnLab Security Emergency Response Center (ASEC) reported that threat actors are using Reptile to target Linux systems in South Korea.

The researchers observed multiple campaigns leveraging Reptile since 2022.

Recently Mandiant published a report about a campaign attributed to a China-linked APT group that used the Reptile rootkit and exploited the zero-day vulnerability (CVE-2022-41328) in Fortinet products. Researchers from ExaTrack also detailed a campaign using the Mélofée malware and the Reptile rootkit. The researchers attributed the campaign to the China-linked cyberespionage group Winnti.

The Reptile malware uses a loader that is a kernel module packed using the open-source tool kmatryoshka.

The tool is used to decrypt the rootkit and load its kernel module into memory. Then the kernel module opens a specific port and awaits for the attacker communications.

Reptile relies on an engine called KHOOK to hook Linux kernel functions. The rootkit was employed in past attacks against South Korean companies.

“The initial method of infiltration remains unidentified, but upon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic configuration to be ascertained.” states the report from ASEC. “In this particular attack case, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is a malware strain that uses the ICMP protocol to provide the threat actor with a shell. Typically, reverse shells or bind shells use protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by these communication protocols.”

Researchers warn that Reptile can be easily utilized by various threat actors because its code is available as open-source. Threat actor can also customize the rootkit in future attacks and use it in conjunction with other malware.

The report also includes Indicators of Compromise (IOCs) for this threat

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, rootkit)