New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking
A brand new kernel module rootkit malware grow to be launched now not too prolonged in the past on GitHub, dubbed Reptile. It’s an originate-provide rootkit that has the capacity to screen itself, other malicious codes, files, directories, and community internet page traffic.
Whereas, unlike other rootkit malware, Reptile stands out with a reverse shell, enabling easy machine control, and its signature dawdle is Port Knocking.
Port Knocking opens a particular port on an infected machine, connecting it to the C&C server upon receiving an attacker’s Magic Packet.
The cybersecurity researchers at ASEC now not too prolonged in the past identified this new rootkit malware.
Rootkit Malware Attacking Linux Systems
Reptile aids malware set up and equips attackers with Listener, a utter line instrument that awaits a reverse shell connection to salvage on infected programs, granting control to the attacker.
Attackers can operate a reverse shell with out specifying the C&C server by forwarding say packets the employ of Port Knocking. Packet, a utter line instrument, receives parameters for the reverse shell connection and port knocking technique.
Moreover, an interface is equipped via the Client. By default, Reptile installs malicious codes below /reptile/ itemizing route the employ of names love reptile, reptile_shell, and reptile_cmd.
The loader, reptile, decrypts and installs the encrypted Reptile rootkit kernel module, avoiding screech existence as a file.
The reptile_cmd communicates commands to the Reptile rootkit, concealing the aim as an argument. Reptile_shell, a reverse shell malware, executes with arguments equipped by the rootkit.
If opting for an quick C&C server connection in some unspecified time in the future of set up, the utter is made up our minds in /reptile/reptile_start script.
Rootkit triggers reverse shell via the script after loading the kernel module. Address bought via port knocking can moreover lift C&C server address in some unspecified time in the future of reverse shell execution.
Reptile rootkit waits for Magic Packet on a particular port, revealing the C&C server address for reverse shell connection, supporting port knocking approach.
Reptile’s defconfig file holds total settings:-
- MAGIC_VALUE is ‘hax0r’
- PASSWORD is ‘s3cr3t’
- SRCPORT is ‘666’
The rootkit shows incoming packets via TCP/UDP/ICMP, concentrated on the port specified by the configuration file (666).
The Reptile rootkit’s reverse shell connects to the C&C server the employ of a bought address, the employ of ‘s3cr3t‘ as PASSWORD for conversation with the Listener. It is miles going to also be completed in two programs:-
- Port Knocking
- For the period of rootkit kernel module set up
Reptile’s reverse shell originates from TinySHell, an originate-provide Linux backdoor. Rekoobe, a backdoor malware extinct by Chinese teams, shares similarities with the Syslogk rootkit, suggesting Reptile’s structure have an effect on.
Solutions
Here below we enjoy talked about all the major ideas equipped by the protection analysts at ASES to forestall security threats love this:-
- Compose optimistic that to wisely behold the settings.
- Compose optimistic that to withhold all the programs as much as this point with the most modern accessible patches and updates.
- Constantly employ the most modern V3 to block malicious code infections.
- Compose optimistic that to make employ of a robust security resolution.
Source credit : cybersecuritynews.com