Identification of new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015 is back. The new malware samples have lower detection rates than their predecessors. This might be because of malware ceased its operation in 2016 after it was reported. In the current context, Rekoobe have resumed their operations utilizing a newer version of the malware.
the new variants are statically compiled ELF binaries while older variants were dynamically compiled.This undeniably implies that on a code level these two generations of the same malware are different. Since the compilation flags used by the GCC compiler differ between dynamically and statically linked code, the compiler will generate different code accordingly.
In previous Rekoobe variants, the malware would initially collect some preliminary configuration saved in disk, masquerading this configuration to be a shared object, However, in the new variants, the need for this configuration file has been completely removed, having hard-coded the subject artifacts previously dependent on the configuration file.
Download user files