Tag Archive for: linux

Advanced Linux Malware Targeting South Korean Systems

/in


Aug 05, 2023THNLinux / Malware

Reptile Rootkit

Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea.

“Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems,” the AhnLab Security Emergency Response Center (ASEC) said in a report published this week.

“Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server.”

A rootkit is a malicious software program that’s designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022.

Cybersecurity

The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusion set tracked as Earth Berberoka (aka GamblingPuppet), which has been found to use the malware to hide connections and processes related to a cross-platform Python trojan known as Pupy RAT in attacks aimed at gambling sites in China.

Then in March 2023, Google-owned Mandiant detailed a set of attacks mounted by a suspected China-linked threat actor dubbed UNC3886 that employed zero-day flaws in Fortinet appliances to deploy a number of custom implants as well as Reptile.

Reptile Rootkit

ExaTrack, that same month, revealed a Chinese hacking group’s use of a Linux malware called Mélofée that’s based on Reptile. Lastly, in June 2023, a cryptojacking operation discovered by Microsoft used a shell script backdoor to download Reptile in order to obscure its child processes, files, or their content.

A closer examination of Reptile reveals the use of a loader, which uses a tool called kmatryoshka to decrypt and load the rootkit’s kernel module into memory, after which it opens a specific port and awaits for the attacker to transmit a magic packet to the host over protocols such as TCP, UDP, or ICMP.

Cybersecurity

“The data received through the magic packet contains the C&C server address,” ASEC said. “Based on this, a reverse shell…

Source…

Exploring The Anatomy Of A Linux Kernel Exploit

/in


A lot of talk and discussion happens anytime a hardware manufacturer releases a new line of faster, more powerful, or more efficient computers. It’s easy to see better and better specifications and assume that’s where all the progress is made. But without improved software and algorithms, often the full potential of the hardware can’t be realized. That’s the reason for the creation of io_uring, an improved system call interface in the Linux kernel. It’s also where [chompie] went to look for exploits.

The reason for looking here, in a part of the kernel [chompie] had only recently learned about, was twofold. First, because it’s a place where user space applications interact with the kernel, and second because it’s relatively new and that means more opportunities to find bugs. The exploit involves taking advantage of a complicated asynchronous buffer system, specifically at a location where the code confuses a memory location being used by the kernel with one which is supposed to be used for user space.

To actually get this to work as an exploit, though, a much more involved process is needed to make sure the manipulation of these memory addresses results in something actually useful, but it is eventually used to gain local privilege escalation. More about it can be found in this bug report as well. Thanks to the fact that Linux is open-source, this bug can quickly be fixed and the patch rolled out to prevent malicious attackers from exploiting it. Open-source software has plenty of other benefits besides being inherently more secure, though.


Source…

New Tsunami botnet targets Linux SSH servers

/in


Researchers warn of an ongoing Tsunami DDoS botnet campaign targeting inadequately protected Linux SSH servers.

Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected Linux SSH servers, to install the Tsunami DDoS botnet (aka Kaiten). The threat actors behind these attacks were also observed installing other malware families, including ShellBot, XMRig CoinMiner, and Log Cleaner.

The Tsunami DDoS botnet operates as an IRC bot and relies on IRC for C2 communication.

The researchers pointed out that the source code of the Tsunami bot is publicly available allowing multiple threat actors to create their own botnet. The bot primarily targets IoT devices along with Linux servers with brute force attacks.

The following table contains the list ID and password values used by the bot in the dictionary attacks along with the IP address for the target.

ID Password Attack Target
admin qwe123Q# 124.160.40[.]48
sxit sxit 124.160.40[.]94
root abcdefghi 124.160.40[.]94
root 123@abc 124.160.40[.]94
weblogic 123 124.160.40[.]94
rpcuser rpcuser 124.160.40[.]94
test p@ssw0rd 124.160.40[.]94
nologin nologin 124.160.40[.]94
Hadoop p@ssw0rd 124.160.40[.]94
hxw test123 124.160.40[.]94
backlog backlog 124.160.40[.]94
dell 123 124.160.40[.]94

Upon successfully logging in, the attackers execute a command to download and run various malware.

The downloader-type Bash script is used to install additional malware and perform various preliminary tasks to take control of infected systems, including the creation of a backdoor SSH account.

Threat actors also generated a new pair of public/private SSH keys for the compromised server to achieve persistent access, even if the user password was changed.

The variant of the Tsunami bot employed in this campaign is a Kaiten variant known as Ziggy, it maintains persistence by writing itself on the “/etc/rc.local” file.

In order to avoid detection, the bot attempts to change the name of the process that is currently running to “[kworker/0:0]”. Using this threat the malware uses normal process names, making it difficult for users to notice.

The Tsunami botnet supports multiple DDoS attack…

Source…

How to Practice Cyber Security ?

/in