An unknown Chinese state-sponsored hacking group has been linked to a new piece of malware that targets Linux servers. French cybersecurity firm ExaTrack discovered three samples of the malware, which they dubbed Mélofée, dating back to early 2022.
The malware is deployed using shell commands that download an installer and a custom binary package from a remote server. The installer then extracts the rootkit and a server implant module that is currently under active development.
Mélofée’s rootkit is based on an open-source project called Reptile and is designed to drop a kernel-mode rootkit that has a limited set of features, mainly to install a hook that is intended to hide itself. The implant and rootkit have the same features as other backdoors of its kind, allowing it to contact a remote server and execute arbitrary commands, among other functions.
The malware’s ties to China come from infrastructure overlaps with groups like APT41 (aka Winnti) and Earth Berberoka (aka GamblingPuppet). Earth Berberoka is a state-sponsored actor that has mainly targeted gambling websites in China since at least 2020 using multi-platform malware like HelloBot and Pupy RAT.
Some samples of the Python-based Pupy RAT have been concealed using the Reptile rootkit, according to Trend Micro.
ExaTrack also discovered another implant, AlienReverse, which shares code similarities with Mélofée and uses publicly available tools like EarthWorm and socks_proxy. The French cybersecurity firm said that the Mélofée implant family is another tool in the arsenal of Chinese state-sponsored attackers that show constant innovation and development.
The implant’s capabilities are relatively simple, but they could enable adversaries to conduct attacks under the radar, particularly since the implants have not been widely seen, suggesting that the attackers are likely limiting their usage to high-value targets.
