Rekoobe Malware Used by Chinese Hacker Group Attack Linux system

Rekoobe is a backdoor malware that targets vulnerable Linux servers identified to be frail by the Chinese APT31.

It’s been active since 2015, and in 2018 up thus some distance versions of Rekoobe have been frail to purpose Linux servers, as its structure is x86, x64, and SPARC.

Emergency Response Heart (ASEC) shares diversified Rekoobe variants and organizes Rekoobe malware frail in attacks targeting home companies in its most smartly-liked article.

Largely targets former Linux servers or are in provider with nefarious settings and moreover focused on supply chain attacks.

Diagnosis of the Rekoobe variant:

• MD5: 8921942fb40a4d417700cfe37cce1ce7
• C&C server: resolv.ctmailer[.]obtain:80 (103.140.186.32)
• Download contend with: hxxp://103.140.186[.]32/mails

Rekoobe, constructed by open supply code Little shell, utilizes strcpy() feature to commerce the process title when running this system to invent the customers complex to acknowledge.

It doesn’t have any inform line possibility to receive the contend with or password of the C&C server.

Rekoobe generates an AES-128 key utilizing the HMAC SHA1 algorithm and encrypts the verbal exchange files with the C&C server utilizing the most well-known.

Initially, files of size 0x28 is acquired from the C&C server, then it’s divided into two 0x14 bytes and frail because the IV when initializing the HMAC SHA1 context.

Within the initialization process, a exhausting-coded password string “0p;/9ol.” is moreover frail as properly as to the IV, which is each and every 0x14 bytes acquired.

The generated HMAC SHA1 values ​​are AES-128 keys, which are frail to encrypt and decrypt files acquired from the C&C server when transmitting files to the C&C server, respectively.

Additionally, files for integrity verification of 0x10 bytes is acquired from the C&C which is decoded with the AES-128 key space above, and thru the XOR process.

The tips to be delivered thereafter is frail for integrity verification, and it’s 0x10 bytes and must have the identical ticket.

Once the integrity verification process is performed, the identical integrity files of 0x10 bytes is transmitted to the C&C server. When sending files, it’s encrypted and transmitted utilizing the AES128 key created with the HMAC SHA1 ticket created above.

Lastly, easy instructions which are in a single byte are done for file upload, file download, and reverse shell.

One more sample of Rekoobe opens a port within the assemble of a bind shell and waits for the connection of the C&C server. Right here is on legend of Little SHell supports both.

Rekoobe is presumed to have a separate builder. Even though a random password string became frail, “exchange alongside with your password,” which appears to be like to be the default string, is customarily seen.

The attacker employs replacement malicious code for every and every attack. Unlike passwords whereby a replacement string is frail every time, the guidelines frail for integrity verification is characterized by the reality that “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” is frail for a good deal of of the provision code.

In step with open supply, Rekoobe may perchance well perhaps even be utilized by replacement attackers apart from the properly-identified Chinese attack community APT31 and cases of attacks towards home systems are increased.

In characterize to forestall such security threats, continually update the connected systems to the most smartly-liked versions to guard them from attacks.

Indicator of compromise

– 7851833a0cc3482993aac2692ff41635
– 03a87253a8fac6d91d19ea3b47e2ca6c
– 5f2e72ff741c4544f66fec16101aeaf0
– 8921942fb40a4d417700cfe37 cce1ce7