Rekoobe Malware Worn via Chinese language Hacker Assault Linux machine

Rekoobe is a backdoor malware that goals prone Linux servers identified to be worn via the Chinese language APT31.

It’s been energetic since 2015, and in 2018 up to date variations of Rekoobe have been worn to focus on Linux servers, as its structure is x86, x64, and SPARC.

Extremity Reaction Middle (ASEC) stocks diverse Rekoobe variants and organizes Rekoobe malware worn in assaults focused on home firms in its fresh article.

Most commonly goals out of date Linux servers or are in carrier with beside the point settings and in addition taken with provide chain assaults.

Research of the Rekoobe variant:

  • MD5: 8921942fb40a4d417700cfe37cce1ce7
  • C&C server: resolv.ctmailer[.]web:80 (
  • Obtain deal with: hxxp://103.140.186[.]32/mails

Rekoobe, constructed via distinguishable supply code Modest shell, makes use of strcpy() serve as to switch the method title when working this system to build the customers tough to acknowledge.

It doesn’t have any command layout method to obtain the deal with or password of the C&C server.

Rekoobe generates an AES-128 key the usage of the HMAC SHA1 set of rules and encrypts the conversation knowledge with the C&C server the usage of the important thing.

First of all, knowledge of dimension 0x28 is gained from the C&C server, later it’s divided into two 0x14 bytes and worn because the IV when initializing the HMAC SHA1 context.

Within the initialization procedure, a hard-coded password anecdote “0p;/9ol.” may be worn along with the IV, which is every 0x14 bytes gained.

The generated HMAC SHA1 values ​​are AES-128 keys, which can be worn to encrypt and decrypt knowledge gained from the C&C server when transmitting knowledge to the C&C server, respectively.

Moreover, knowledge for integrity verification of 0x10 bytes is gained from the C&C which is decoded with the AES-128 key prepared above, and throughout the XOR procedure.

The information to be delivered thereafter is worn for integrity verification, and it’s 0x10 bytes and will have to have the similar price.

As soon as the integrity verification procedure is done, the similar integrity knowledge of 0x10 bytes is transmitted to the C&C server. When sending knowledge, it’s encrypted and transmitted the usage of the AES128 key created with the HMAC SHA1 price created above.

In spite of everything, easy instructions which can be in a single byte are done for record add, record obtain, and opposite shell.

Any other pattern of Rekoobe opens a port within the mode of a gather shell and waits for the relationship of the C&C server. It is because Modest SHell helps each.

Rekoobe is presumed to have a free builder. Even supposing a random password anecdote used to be worn, “replace with your password,” which appears to be the default anecdote, is steadily evident. 

The attacker employs other unholy code for every assault. In contrast to passwords by which a distinct anecdote is worn each day, the knowledge worn for integrity verification is characterised via the truth that “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” is worn for lots of the supply code.

In response to distinguishable supply, Rekoobe may well be used by alternative attackers but even so the eminent Chinese language assault staff APT31 and instances of assaults towards home methods are higher.

To bring to ban such safety blackmails, at all times replace the similar methods to the fresh variations to give protection to them from assaults. 

Indicator of compromise

– 7851833a0cc3482993aac2692ff41635
– 03a87253a8fac6d91d19ea3b47e2ca6c
– 5f2e72ff741c4544f66fec16101aeaf0
– 8921942fb40a4d417700cfe37 cce1ce7

“AI-based email security measures Protect your business From Email Threats!” – Request a Distant Demo.

Leave a Comment