ExaTrack information security company specialists declare that an unknown Chinese-sponsored hacker group is using new malware in attacks against servers linux.

ExaTrack experts found samples of malware documented in early 2022, dubbed Mélofée.

One of the samples is for delivery rootkit kernel mode based on an open-source project Reptile . The rootkit has a limited set of features, mainly installing a webhook designed to hide the rootkit itself.

According to security researchers, the implant and rootkit are deployed using shell commands that download an installer and a binary package from a remote server. The installer takes a binary package as an argument and then extracts the rootkit as well as the server implant module, which is currently under active development.

Mélofée receives instructions from a remote server to manipulate files, create sockets, launch a shell and execute arbitrary commands, and establish persistence. It should be noted that some samples Pupy RAT in the January campaign were hidden using the Reptile rootkit.

The ExaTrack team linked the Mélofée malware to China based on the intersection of the infrastructure with the APT41 (Winnti) and Earth Berberoka (GamblingPuppet).

ExaTrack also discovered another implant, codenamed AlienReverse, which shares similar code to Mélofée and uses publicly available tools. Earthworm And socks_proxy .

Experts note that Mélofée’s capabilities are relatively simple, but can allow attackers to carry out their attacks undetected. The discovered implants were not widely known, which means that cybercriminals are likely to use malware only in attacks against certain targets.