Rekoobe (Trojan) – Malware

Overview

The Rekoobe backdoor, first discovered in 2015, has become a notable tool in the arsenal of cybercriminals, particularly those associated with the Chinese threat group APT31. A recent analysis by the AhnLab Security Emergency Response Center (ASEC) sheds light on the operational intricacies and impact of Rekoobe, especially focusing on its use against Linux systems in Korea. This analysis not only highlights the malware’s technical features but also outlines its persistent presence and evolving nature.

Rekoobe is designed to target Linux environments, and its architecture supports various Linux distributions, including x86, x64, and SPARC. Built upon the open-source Tiny SHell project, Rekoobe inherits several features from its predecessor but introduces its own enhancements. The malware’s functionality includes downloading, uploading, and executing commands from a command-and-control (C&C) server. The use of Tiny SHell’s open-source code makes it challenging to categorize Rekoobe, as its variants can differ significantly in their implementation.

Targets

Technology and IT Infrastructure: Given that Rekoobe is a Linux-based malware, it predominantly targets technology sectors and IT infrastructure where Linux servers are commonly used. This includes web hosting services, data centers, and IT management companies.

Corporate and Enterprise Environments: The malware’s capability to perform file uploads, downloads, and execute reverse shell commands makes it suitable for targeting corporate environments. Companies that rely on Linux servers for critical operations may be particularly vulnerable.

Educational and Research Institutions: In some cases, Linux servers are used by educational and research institutions, making them potential targets for Rekoobe as well. These institutions may be targeted for both data theft and disruption.

How they operate

Technical Operation and Communication

At its core, Rekoobe is a backdoor designed to target Linux environments, particularly those running on x86, x64, and SPARC architectures. It derives its functionality from the Tiny SHell open-source program, though it extends beyond Tiny SHell’s basic capabilities. Rekoobe’s primary functions include downloading and uploading files, executing commands, and providing a reverse shell. The malware is known for its stealthy operation, utilizing several sophisticated techniques to avoid detection and maintain its foothold on compromised systems.

One of the most striking features of Rekoobe is its method of disguising itself. Upon installation, Rekoobe renames its process to “/bin/bash”, a common system process, to blend in with legitimate operations. This disguise is achieved through the strcpy() function, which alters the arguments passed to the executable, making detection more challenging. Unlike Tiny SHell, Rekoobe does not allow command-line options for specifying the C&C server address or password; instead, these are hard-coded into the malware, adding an extra layer of obfuscation.

Encryption and Command Execution

Rekoobe employs encryption to secure its communications with the command and control (C&C) server. Initially, the C&C server sends a 0x28-byte packet to Rekoobe, which is divided into two 0x14-byte segments used as initialization vectors (IVs) for the HMAC SHA1 context. This process generates an AES-128 key used for encrypting and decrypting data exchanged between the malware and the C&C server. The encrypted data includes commands and responses crucial for the malware’s operation.

The communication protocol involves several steps. The C&C server first sends integrity verification data, which Rekoobe decodes using the AES-128 key and performs an XOR operation to determine the size of subsequent data. The malware then sends a 0x10-byte integrity data segment back to the C&C server. After integrity verification, the server sends a 1-byte command, which Rekoobe interprets to execute one of three actions: file upload, file download, or reverse shell execution. Each command is straightforward, with file operations involving specifying paths and writing data, and the reverse shell command redirecting input and output to the socket connected to the C&C server.

Variants and Persistence Mechanisms

Rekoobe has various variants, each with distinct methods of communication and persistence. While some variants use hard-coded C&C server addresses, others operate in a bind shell mode, opening ports and awaiting connections from the C&C server. This flexibility indicates that Rekoobe may have a builder tool, allowing threat actors to customize each instance of the malware, including setting unique passwords and operational parameters.

One notable aspect of Rekoobe’s persistence is its use of default or static passwords in some variants, suggesting that different samples might be generated by a common builder tool with pre-defined settings. Despite these variations, Rekoobe’s core functionality remains consistent, relying on AES-128 encryption and a limited set of commands to execute its operations.

MITRE Tactics and Techniques

Initial Access:

Exploit Public-Facing Application (T1190): Rekoobe has been reported to be installed through supply chain attacks, such as compromising a popular WordPress plugin. This tactic involves exploiting vulnerabilities in public-facing applications to gain initial access.

Execution:

Command and Scripting Interpreter (T1059): Rekoobe uses a reverse shell command to execute commands on the compromised system, which aligns with the use of command and scripting interpreters for execution.

Persistence:

Create or Modify System Process (T1543): Rekoobe disguises itself by changing its process name to mimic a legitimate process (/bin/bash), which helps it maintain persistence by blending into the system’s normal operations.

Privilege Escalation:

Exploitation for Privilege Escalation (T1068): Although not explicitly described in the provided analysis, gaining additional privileges could be a part of its operational strategy, especially if it needs to perform actions beyond standard user permissions.

Defense Evasion:

Obfuscated Files or Information (T1027): Rekoobe uses encryption and disguises its process name to evade detection, aligning with techniques to obfuscate files or information.
Indicator Removal on Host (T1070): The malware’s ability to execute commands and potentially manipulate file systems could involve activities related to clearing logs or removing indicators of compromise.

Credential Access:

Credential Dumping (T1003): If Rekoobe is used to exfiltrate data, it might involve accessing credential stores, though this is not explicitly detailed in the analysis.

Discovery:

System Information Discovery (T1082): By executing commands and interacting with the compromised system, Rekoobe may perform discovery activities to gather information about the system environment.

Command and Control:

Application Layer Protocol (T1071): Rekoobe communicates with its command and control (C&C) server over HTTP, which involves using application layer protocols for command and control.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): The malware’s ability to download and upload files through its C&C channel fits the exfiltration tactic, where data is transferred over the same communication channel used for control.

Impact:

Data Destruction (T1485): While not explicitly stated in the analysis, the malware’s capabilities could be used to destroy or manipulate data as part of its impact on the targeted systems.

References

• Rekoobe
• Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea