New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking

by Esmeralda McKenzie
New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking

New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking

Contemporary Reptile Rootkit Malware Attacking Linux Systems The employ of Port Knocking

A brand new kernel module rootkit malware grow to be launched now not too prolonged in the past on GitHub, dubbed Reptile. It’s an originate-provide rootkit that has the capacity to screen itself, other malicious codes, files, directories, and community internet page traffic.

Whereas, unlike other rootkit malware, Reptile stands out with a reverse shell, enabling easy machine control, and its signature dawdle is Port Knocking.

Port Knocking opens a particular port on an infected machine, connecting it to the C&C server upon receiving an attacker’s Magic Packet.

The cybersecurity researchers at ASEC now not too prolonged in the past identified this new rootkit malware.

Rootkit Malware Attacking Linux Systems

Reptile aids malware set up and equips attackers with Listener, a utter line instrument that awaits a reverse shell connection to salvage on infected programs, granting control to the attacker.

Attackers can operate a reverse shell with out specifying the C&C server by forwarding say packets the employ of Port Knocking. Packet, a utter line instrument, receives parameters for the reverse shell connection and port knocking technique.

D1nIgmO JqpcC6pz3GC 9am XcbndtnaSK2JO3IG DdJcuc5Nux4fPX f5MRCAZcJfvhRUcdNvy4Z5bpTcKjTVYpbssw6PfCmYjvcIrE
Reptile’s operation structure (Source – ASEC)

Moreover, an interface is equipped via the Client. By default, Reptile installs malicious codes below /reptile/ itemizing route the employ of names love reptile, reptile_shell, and reptile_cmd.

The loader, reptile, decrypts and installs the encrypted Reptile rootkit kernel module, avoiding screech existence as a file.

WhkfERE2LGjE4CI4iShk9 dN3cHwkeridi8Vt rWT eXq8FDwu6exPagXvjp3tWBxJMbU2xnm9kLlaEk9wbDW 0Mf3Y5B8NgRkmQSurTchmBKciag97Buotnag4JkNV7S34LP3rIKYGG6okw36wrpaI
Set up itemizing (Source – ASEC)

The reptile_cmd communicates commands to the Reptile rootkit, concealing the aim as an argument. Reptile_shell, a reverse shell malware, executes with arguments equipped by the rootkit.

If opting for an quick C&C server connection in some unspecified time in the future of set up, the utter is made up our minds in /reptile/reptile_start script.

Rootkit triggers reverse shell via the script after loading the kernel module. Address bought via port knocking can moreover lift C&C server address in some unspecified time in the future of reverse shell execution.

Reptile rootkit waits for Magic Packet on a particular port, revealing the C&C server address for reverse shell connection, supporting port knocking approach.

Reptile’s defconfig file holds total settings:-

  • MAGIC_VALUE is ‘hax0r’
  • PASSWORD is ‘s3cr3t’
  • SRCPORT is ‘666’

The rootkit shows incoming packets via TCP/UDP/ICMP, concentrated on the port specified by the configuration file (666).

68Iz4tq5pGI0GKBCN11n8uiVvdEEPr of7o8f 58v1O gD0b5M PAulkOuGbVP4Aj9DaGYebnIrZHSBPfCCiUa VrlQsVl
Reverse shell the employ of Port Knocking (Source – ASEC)

The Reptile rootkit’s reverse shell connects to the C&C server the employ of a bought address, the employ of ‘s3cr3t‘ as PASSWORD for conversation with the Listener.  It is miles going to also be completed in two programs:-

  • Port Knocking
  • For the period of rootkit kernel module set up

Reptile’s reverse shell originates from TinySHell, an originate-provide Linux backdoor. Rekoobe, a backdoor malware extinct by Chinese teams, shares similarities with the Syslogk rootkit, suggesting Reptile’s structure have an effect on.

Solutions

Here below we enjoy talked about all the major ideas equipped by the protection analysts at ASES to forestall security threats love this:-

  • Compose optimistic that to wisely behold the settings.
  • Compose optimistic that to withhold all the programs as much as this point with the most modern accessible patches and updates.
  • Constantly employ the most modern V3 to block malicious code infections.
  • Compose optimistic that to make employ of a robust security resolution.

Source credit : cybersecuritynews.com

Related Posts