ExaTrack found a new undetected implant family called Mélofée that targets Linux systems. Three samples of the previously known malicious software, dating from the beginning of 2022, were found by analysts.
Chinese state-sponsored APT groups, including the notorious Winnti group, are related to the malware.
Capabilities of Mélofée
Researchers analyzed this malware family’s capabilities, including a kernel-mode rootkit, and then went deep through an infrastructure pivot maze to find similar adversary toolkits.
One of the artefacts is to drop a kernel-mode rootkit based on the Reptile, open source project.
“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself”, researchers.
Also, the implant and rootkit were installed using shell commands that downloaded the installer and a custom binary package from an adversary-controlled server.
The installer is written in C++ as well and accepts the binary package as an argument. Following that, the rootkit and the server component are extracted and installed.
The capabilities of Mélofée let it communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, launch a shell, and execute arbitrary commands.
The packet formats used by Mélofée:
The following tools are connected to the infrastructure for the Mélofée implants:
Cyber Threat Intelligence tracked some of the servers as ShadowPad C&C servers;
Other servers were linked to both Winnti and HelloBot tools;
Identified related domains used as C&C servers for tools like PlugX, Spark9, Cobalt Strike, StowAway 10, and the legitimate toDesk remote control tool;
Lastly, the attacker also probably used the ezXSS 11 tool, but researchers could not confirm why.
Researchers found the malware family HelloBot, which similarly targets Linux hosts, is known to be employed by APT groups like Earth Berberoka.
From at least 2020, a state-sponsored actor known as Earth Berberoka has mostly targeted gambling websites in China with multi-platform malware, including HelloBot and Pupy RAT.
“We assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state sponsored attacker groups during at least all of 2022”, researchers.
Another implant with the codename AlienReverse that uses publically available tools like EarthWorm and socks_proxy and has similarities to Mélofée was also found by ExaTrack.
“The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant innovation and development,” researchers.
“The capabilities offered by Mélofée are relatively simple but may enable adversaries to conduct their attacks under the radar.”
Moreover, these implants were not frequently observed, indicating that the attacker probably only uses them on high-value targets.