Mélofée: The Latest Malware Targeting Linux Servers

An unidentified Chinese APT group is suspected of operating the Mélofée malware.

The malware may be linked to another state-sponsored APT group called Earth Berberoka (or GamblingPuppet), which mainly targets gambling websites in China.

ExaTrack, a France-based cybersecurity firm, has discovered a “novel” malware, which they have named Mélofée. According to the researchers, this malware is specifically targeting Linux servers and is believed to be operated by an unidentified Chinese state-backed APT group.

The researchers have linked this malware to the notorious Winnti group with high confidence. “We linked with high confidence this malware to Chinese state-sponsored APT groups, in particular the notorious Winnti group,” researchers said in a blog post.

According to THN’s report, the malware has also been linked to another state-sponsored APT group called Earth Berberoka (or GamblingPuppet), which mainly targets gambling websites in China and has been active since 2020. The group uses multi-platform malware such as Pupy RAT and HelloBot.

The malware’s capabilities include a kernel-mode rootkit, which is based on an open-source project called Reptile. The rootkit has limited features, as it mainly installs a hook designed to keep itself hidden.

The implant and the rootkit are both designed to be deployed via shell commands, which later download the installer and a custom binary package extracted from a remote server. This binary package extracts the rootkit and a server implant module, which is currently under active development.

The malware is capable of establishing a connection to a remote server and receiving commands to carry out different operations, launch a shell, create sockets, and execute arbitrary commands.

The researchers discovered three samples of the malware, all of which shared a common code base, but had consistent development in specific domains, such as communication protocol evolution and packet format.

Two samples the company examined included a version number identified as 20220111, 20220308, whereas the last sample was dated somewhere between April and May 2022

The Mélofée implant family is another tool in the arsenal of Chinese state-sponsored attackers, which show constant innovation and development.

  1. Chinese Hackers Hit Group-IB Cybersecurity Firm
  2. Backdoor into FortiOS: Chinese Hackers Utilize 0-Day
  3. Google Suspends Chinese Shopping App Over Malware
  4. Chinese hackers use FoundCore RAT to spy on Vietnam
  5. Chinese Sharp Panda gang drops SoulSearcher malware

Related Posts