Rewterz Threat Alert – Reptile Rootkit: Targeted Attacks on Linux Systems in South Korea – Active IOCs

Severity

High

Analysis Summary

Researchers have detected a notable cyber threat involving the use of the open-source rootkit known as Reptile, which is being deployed in targeted attacks against systems within South Korea. Unlike typical rootkits, Reptile, designed for Linux systems, offers the unique feature of a reverse shell, enhancing its capabilities. The malware incorporates port knocking, wherein a specific port on an infected system is opened, waiting for a specially crafted Magic Packet from attackers to establish a Command and Control (C2) connection.

This campaign utilizing Reptile has been active since 2022, with multiple instances of attacks observed. A significant development was brought to light through Mandiant’s report, which attributed a campaign employing Reptile and a zero-day vulnerability (CVE-2022-41328) in Fortinet products to a China-linked APT group. Another campaign exposed the use of the Mélofée malware in conjunction with Reptile, associating it with the China-linked cyberespionage group Winnti.

Reptile employs a kernel module loader, packed using the open-source tool “kmatryoshka,” to decrypt and load its kernel module into memory. This module subsequently establishes a specific port, awaiting communications from attackers. The rootkit effectively uses KHOOK, an engine that hooks Linux kernel functions, and has been previously deployed in attacks against South Korean organizations.

In a specific attack instance, alongside Reptile, a malware strain named ISH was also identified. ISH utilizes the ICMP protocol to provide a shell to threat actors, deviating from conventional communication protocols like TCP or HTTP to potentially evade network detection. Researchers emphasize that Reptile’s open-source nature makes it highly adaptable for various threat actors, who can modify and customize the rootkit for future attacks, possibly in tandem with other malware. This revelation underscores the evolving landscape of cyber threats and the importance of proactive security measures to counter their impact.

Impact

• Data Breach and Exposure
• Systems Takeover
• Espionage and Surveillance

Indicators of Compromise

IP

• 146.4.21.94
• 109.248.150.13
• 108.61.186.55

MD5

• 1957e405e7326bd2c91d20da1599d18e
• d1abb8c012cc8864dcc109b5a15003ac
• f8247453077dd6c5c1471edd01733d7f
• cb61b3624885deed6b2181b15db86f4d
• c3c332627e68ce7673ca6f0d273b282e
• 246c5bec21c0a87657786d5d9b53fe38
• bb2a0bac5451f8acb229d17c97891eaf
• 977bb7fa58e6dfe80f4bea1a04900276
• 5b788feef374bbac8a572adaf1da3d38

SHA-256

• 1425a4a89b938d5641ed438333708d1728cfed8c124451180d011f6bbb409976
• d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37ba
• 133d3e070e30c94a591450b0930daf9f751debc0f4384fac6ace63f60a383818
• 17bbebd7d8982d580cc3dea35d988ae2bfd62d708b69662419c41682274e0a14
• 4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca
• 99ffc0099277bef59a37a4cfcf4cdd71df13ad33d1c7bf943dc87f803e75dd2c
• 15e4e936b2f47eb3fa2455b7c22b2714bebe9f8c01b24bbf7cb5f9559999d292
• 7ce7b914bd434f8a45db1cb3ec783237a5485b7abcee4df06275ea274e095295
• cbe9107185c8e42140dbd1294d8c20849134dd122cc64348f1bfcc90401379ec

SHA-1

• 0c6d838c408e88113a4580e733cdb1ca93807989
• 2ca4787d2cfffac722264a8bdae77abd7f4a2551
• 783736e9274bd2bb90390bb9c23a62c387cde3ef
• a5f6162c6b6b6f0c177771a56a6b1eb5d7b593a0
• 3cc2d6bf5215de3c24fb194c232a0411cede78e0
• 7d9eaefeb0c95473ad86abbdcffdbdf6950b8dd2
• ee295ec546158e425a3660a4a9402916087ccd97
• 467ea946ac857471e2f01bbdc4258a0ff31c01ce
• 76d6cb6b6e9b40b07944153b1f140e786e3ae381

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Implement the principle of least privilege by restricting user and application access to only the necessary resources. This limits the potential for attackers to move laterally within the network and minimizes the impact of a breach.
• Segment the network to isolate critical systems and sensitive data from less critical assets.
• Deploy firewalls and IDS solutions to monitor network traffic for suspicious or unauthorized activity. Configure rules to block unauthorized access and detect anomalous behavior.
• Implement robust endpoint security solutions that include malware detection, intrusion prevention, and behavior-based analysis to detect and prevent the execution of malicious code.
• Use email filtering and anti-phishing solutions to block malicious attachments and links that could serve as initial infection vectors.
• Conduct regular security awareness training for employees to educate them about phishing tactics, social engineering, and safe computing practices. Encourage reporting of suspicious activities.
• Implement MFA for accessing sensitive systems and data. This adds an extra layer of protection even if attackers manage to obtain user credentials.
• Continuously monitor network traffic and endpoint activities for signs of suspicious behavior or unauthorized access. Set up alerts for unusual activities and investigate promptly.
• Regularly back up critical data and systems. Ensure backups are isolated from the network to prevent attackers from targeting them.
• Conduct regular security audits and assessments to identify vulnerabilities and weaknesses. Engage third-party security experts to perform penetration testing and vulnerability assessments.
• Configure firewalls and network security appliances to block outbound connections to known malicious IP addresses and domains.
• Implement a SIEM system to centralize and correlate security event logs, enabling faster detection and response to suspicious activities.