A new type of malware intended for Linux servers has been associated with a Chinese hacking group that is not yet identified and suspected to have financial support from the state.
The company ExaTrack, which specializes in cybersecurity, recently discovered three examples of a previously documented harmful software named Mélofée. These samples were dated from the beginning of 2022.
One of the objects has the purpose of releasing a rootkit based on Reptile, an open source project, which operates in kernel-mode.
The organization stated in a report that the rootkit is specifically programmed for kernel version 5.10.112-108.499.amzn2.x86_64, as indicated by its vermagic metadata. The capabilities of the rootkit are restricted, with a primary function of installing a concealment hook.
The usage of shell commands to download an installer and distinct binary package from a remote server is employed for both the implant and rootkit.
The person installing the program selects the binary package, which is then used to retrieve both the rootkit and a server implant module that is still being improved.
The characteristics of Mélofée are similar to those of other backdoors that allow it to connect with a distant server and obtain commands to conduct file operations, establish connections, start a shell, and execute any actions.
The connection of the malware to China is based on similarities in infrastructure with other groups like APT41 (also known as Winnti) and Earth Berberoka (also known as GamblingPuppet).
Since at least 2020, a malicious group supported by a government has been focused on gambling sites in China. These attackers, named Earth Berberoka, have utilized various harmful software programs such as HelloBot and Pupy RAT across different platforms.
Trend Micro has reported that certain instances of the Pupy remote access Trojan, which is written in Python, have been made imperceptible using the Reptile rootkit.