Chinese Threat Actor Employs Melofee Malware to Spy on Linux Systems

ExaTrack, a cybersecurity company based in France, has issued a warning about a newly identified Linux implant, named "Melofee," that has been used by the Chinese cyberespionage group Winnti to carry out targeted attacks.

Melofee is designed to target Linux servers and is installed through shell commands, similar to other Linux rootkits employed by Winnti. The malware includes a kernel mode rootkit that is a modified version of the open-source project Reptile. Melofee samples have been identified, and they share a common code base but exhibit small changes in encryption, communication protocol, and functionality. The newest version of the malware features the inclusion of a kernel mode rootkit. The infection chain for Melofee involves the use of shell commands to download an installer and custom binary from a server controlled by the attacker. The installer, written in C++, installs both the rootkit and the server implant and ensures that both are executed at boot time.

The implant can perform several actions, including killing its process and removing persistence, updating itself, exfiltrating system information, launching a shell, and creating/deleting directories. Melofee can communicate via TCP, use a custom packet format, and send data through the KCP protocol. ExaTrack's analysis of Melofee's infrastructure revealed connections with C&C servers used by other malware families such as ShadowPad, Winnti, and HelloBot. ExaTrack also discovered a Linux implant called 'AlienReverse,' which showed similarities to Melofee's code but is believed to be a distinct malware family.

What is the Winnti Chinese APT?

The Winnti Group is a Chinese Advanced Persistent Threat (APT) that has been active since at least 2010. The group is known for its sophisticated cyber-espionage campaigns and has been linked to numerous high-profile attacks against targets in various industries, including gaming, healthcare, technology, and telecommunications. The Winnti Group has been associated with the theft of intellectual property, source code, and other sensitive information, which is then likely used for commercial gain or to support Chinese government interests.

The group has also been linked to the use of supply chain attacks, where they target software vendors and other third-party suppliers to gain access to their customers' networks. Overall, the Winnti Group is considered to be one of the most advanced and prolific APT groups operating out of China.