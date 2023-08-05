There comes one new threat computer affecting South Korea, it is an open-source rootkit called Reptile to attack Linux systems in South Korea.

How the Reptile rootkit works

“Unlike other rootkit malware that usually only provides cloaking capabilities, Reptile goes further by offering a reverse shell, allowing cybercriminals to easily take over systems,” has declared the AhnLab Security Emergency Response Center (ASEC) in a report released this week.

“Port knocking is a method where malware opens a specific port on an infected system and goes into standby. When the criminal [informatico] send a magic packet to the system, the received packet is used as the basis for establishing a connection with the C&C server. [Comando e controllo]”

A rootkit, in short, is nothing but a malicious software program designed to give privileged “root” level access to a machine, concealing its presence; at least four different campaigns have leveraged Reptile since 2022.

The first use of the rootkit was registered by Trend Micro in May 2022 in connection with a cybercriminal group known as Earth Berberoka (also known as GamblingPuppet), who were found to use malware to hide connections and processes related to a cross-platform Python trojan known as Pupy RAT, in attacks targeting gambling sites in China.

Subsequently, in March 2023, Google-owned Mandiant detailed a series of attacks perpetrated by a malicious hacker allegedly linked to China, dubbed UNC3886, who used zero-day vulnerabilities in Fortinet equipment to deploy several custom implants as well as Reptile .

In the same month, ExaTrack revealed the use of a malware for Linux operating systems called Mélofee, based on Reptile, by a Chinese hacker group; in June 2023, however, Microsoft has discovery a cryptojacking operation that used a shell script backdoor to download Reptile in order to hide its child processes, files or their contents.

A closer look at Reptile reveals the use of a loader, which uses a tool called kmatryoshka to decrypt and load the rootkit kernel module into memory, after which it opens a specific port and waits for the attacker to broadcast a magic packet to the host via protocols such as TCP, UDP or ICMP.

“The data received via the magic packet contains the address of the C&C server“ASEC said. “Based on this, a reverse shell connects to the C&C server.”

It’s worth noting that the use of magic packets to trigger malicious activity has previously been observed in another rootkit called Syslogk, documented by Avast last year.

The South Korean cybersecurity firm said it also detected a case of an attack in the country involving the use of Reptile, showing some tactical similarities to Mélofée.

“Reptile is a Linux kernel-level rootkit malware that provides cloaking for files, directories, processes, and network communications“said ASEC. “However, Reptile itself also provides a reverse shell, making systems with Reptile installed susceptible to being hijacked by cyber criminals.”

Linux malware will continue

The popularity of OS based on Linux Kernel is due both to people “tired” of Windows, and because some people find it more comfortable than the latter; with the restrictions of Windows 11 (which yes, they can be circumvented, but it is said that this will last forever) it is very probable that in the near future Personal Computers with a Linux operating system installed will increase, with the consequent increase of these computer threats.

As on Windows, it doesn’t matter the operating system, the first antivirus must be the user.

In conclusion, to give an idea of ​​how difficult it is to activate Reptile on Linux, I show you a small video of a user who tests it (since it can be downloaded from Github).

Curiosity

As you can see from the video and the Github links of this rootkit, the name itself is inspired by the homonymous character of the Mortal Kombat video game series (Reptile, to be precise), among other things there is also a ransomware that is called Mortal Kombat, in reference to the video game of the same name.