Reptile Rootkit Uses Port Knocking

Cyber threat actors have turned their attention to Linux systems in South Korea, deploying an open-source rootkit named Reptile. What sets Reptile apart from conventional rootkit malware is its advanced functionality. Beyond merely concealing its presence, Reptile offers a reverse shell feature, providing attackers with a direct means to take control of compromised systems. This revelation comes courtesy of the AhnLab Security Emergency Response Center (ASEC), which released a report recently.

The modus operandi of Reptile involves an interesting technique known as "port knocking." Here, the malware triggers a specific port to open on a compromised system, effectively putting the system on standby. When a threat actor sends a specially crafted "magic packet" to the infected host, the packet serves as a trigger to establish a connection with the Command and Control (C&C) server.

Reptile Displays Possible Links to Pupy RAT

At its core, a rootkit is a malicious program deliberately designed to secure elevated access to a computer system, all while maintaining its clandestine presence. Since 2022, Reptile has been employed in at least four distinct campaigns. Its debut appearance was identified by Trend Micro in May 2022 when it was linked to the Earth Berberoka intrusion set, utilized for obscuring connections and processes related to the Pupy RAT trojan. The latter was used in attacks against gambling websites in China.

Fast forward to March 2023, and Google-owned Mandiant exposed a series of attacks orchestrated by UNC3886, a suspected threat actor group linked to China. These attackers exploited zero-day vulnerabilities in Fortinet appliances to distribute various custom implants, including Reptile.

Another instance in the same month highlighted the usage of Reptile-based malware named Mélofée by a Chinese hacking group, according to ExaTrack. Lastly, a cryptojacking operation flagged by Microsoft in June 2023 used a Reptile-downloading shell script backdoor to mask its activities.

An in-depth analysis of Reptile's mechanics reveals the presence of a loader that harnesses a tool called "kmatryoshka" to decrypt and load the rootkit's kernel module into system memory. Once loaded, the rootkit opens a designated port and waits for an attacker to transmit a magic packet, a technique reminiscent of another rootkit named Syslogk, which was documented by Avast the previous year.

Further, the South Korean cybersecurity firm noted that they had uncovered an attack case involving Reptile in the country. Interestingly, this incident bore tactical similarities to the Mélofée attack, hinting at potential connections between cyber threat actors and their methodologies.