Reptile Rootkit employed in attacks against Linux systems in South Korea

Researchers observed threat actors that are using an open-source rootkit called Reptile in attacks aimed at systems in South Korea.

Reptile is an open-source kernel module rootkit that was designed to target Linux systems, unlike other rootkits, it also offers a reverse shell. The malware supports port knocking, it opens a specific port on an infected system and waits for a Magic Packet sent by the attackers to establish a C2 connection.

Researchers from the AhnLab Security Emergency Response Center (ASEC) reported that threat actors are using Reptile to target Linux systems in South Korea.

The researchers observed multiple campaigns leveraging Reptile since 2022.

Recently Mandiant published a report about a campaign attributed to a China-linked APT group that used the Reptile rootkit and exploited the zero-day vulnerability (CVE-2022-41328) in Fortinet products. Researchers from ExaTrack also detailed a campaign using the Mélofée malware and the Reptile rootkit. The researchers attributed the campaign to the China-linked cyberespionage group Winnti.

The Reptile malware uses a loader that is a kernel module packed using the open-source tool kmatryoshka.

The tool is used to decrypt the rootkit and load its kernel module into memory. Then the kernel module opens a specific port and awaits for the attacker communications.

Reptile relies on an engine called KHOOK to hook Linux kernel functions. The rootkit was employed in past attacks against South Korean companies.

“The initial method of infiltration remains unidentified, but upon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic configuration to be ascertained.” states the report from ASEC. “In this particular attack case, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is a malware strain that uses the ICMP protocol to provide the threat actor with a shell. Typically, reverse shells or bind shells use protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by these communication protocols.”

Researchers warn that Reptile can be easily utilized by various threat actors because its code is available as open-source. Threat actor can also customize the rootkit in future attacks and use it in conjunction with other malware.

The report also includes Indicators of Compromise (IOCs) for this threat

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, rootkit)