Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
Researchers have detected a notable cyber threat involving the use of the open-source rootkit known as Reptile, which is being deployed in targeted attacks against systems within South Korea. Unlike typical rootkits, Reptile, designed for Linux systems, offers the unique feature of a reverse shell, enhancing its capabilities. The malware incorporates port knocking, wherein a specific port on an infected system is opened, waiting for a specially crafted Magic Packet from attackers to establish a Command and Control (C2) connection.
This campaign utilizing Reptile has been active since 2022, with multiple instances of attacks observed. A significant development was brought to light through Mandiant’s report, which attributed a campaign employing Reptile and a zero-day vulnerability (CVE-2022-41328) in Fortinet products to a China-linked APT group. Another campaign exposed the use of the Mélofée malware in conjunction with Reptile, associating it with the China-linked cyberespionage group Winnti.
Reptile employs a kernel module loader, packed using the open-source tool “kmatryoshka,” to decrypt and load its kernel module into memory. This module subsequently establishes a specific port, awaiting communications from attackers. The rootkit effectively uses KHOOK, an engine that hooks Linux kernel functions, and has been previously deployed in attacks against South Korean organizations.
In a specific attack instance, alongside Reptile, a malware strain named ISH was also identified. ISH utilizes the ICMP protocol to provide a shell to threat actors, deviating from conventional communication protocols like TCP or HTTP to potentially evade network detection. Researchers emphasize that Reptile’s open-source nature makes it highly adaptable for various threat actors, who can modify and customize the rootkit for future attacks, possibly in tandem with other malware. This revelation underscores the evolving landscape of cyber threats and the importance of proactive security measures to counter their impact.