Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. [1] Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic.
Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems. Port Knocking is the most notable feature out of those supported by Reptile. Port Knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a Magic Packet to the system, the received packet is used as a basis to establish a connection with the C&C server.
This method is similar to that of Syslogk, which was mentioned in a previous report by Avast. [2] One key difference is that Syslogk was developed based on another open-source Linux kernel rootkit called Adore-Ng. However, there are similarities between Syslogk and the features supported by Reptile, such as being on standby in an infected system before being triggered by a Magic Packet, and using a customized TinySHell, known as Rekoobe, as a backdoor for their attack.
After becoming publicly available on GitHub as open-source, Reptile has been used consistently in attacks. For example, a recent report by Mandiant confirmed that a threat group based in China used Reptile in their ongoing attack using the zero-day vulnerability in Fortinet products. [3] Furthermore, in ExaTrack’s report analyzing the Mélofée malware, Reptile rootkit was also identified. ExaTrack attributes this to the activities of the Winnti attack group based in China. [4]
In this post, we will provide a brief analysis of the basic structure and features of Reptile, followed by a compilation of real-world instances where it was employed in attacks targeting Korean companies. Additionally, it should be noted that ICMP Shell was also used in the attack cases in Korea. At the end, we will summarize the similarities with the Mélofée malware cases based on the installation paths or disguised directory names of the malware.
1. Analysis of Reptile
1.1. Structure of Reptile
Figure 1. Operation structure of Reptile1.1.1. Threat Actor’s System
In addition to providing malware to be installed on the infected system, Reptile also supports tools to be used by the threat actor. Listener is a command line tool that operates by being given the port it has to listen to and its password. It waits for a connection from a reverse shell, which will be executed on the infected system. Depending on the options, Reptile can establish a reverse shell connection to a specified address after installation. In this case, the listener running on the C&C server receives this connection and provides the threat actor with the shell.
Even if the threat actor’s C&C server is not designated, the Port Knocking method can be used to transmit a specific packet to the infected system to trigger a reverse shell. This is achieved through a command line tool called Packet, which takes arguments such as the address the reverse shell will attempt to connect to and the protocol used in the Port Knocking method. Listener and Packet can be used manually, but they can also be used through a client that provides an interface.
1.1.2. Affected System
If no installation path is designated, the malware strains are installed in the /reptile/ directory with the file names reptile, reptile_shell, and reptile_cmd by default. The loader, known as “reptile”, is responsible for decrypting and loading the Reptile rootkit kernel module that is encrypted within the file. This means the Reptile rootkit does not exist directly as a kernel module file. Instead, it is installed through a decryption process by the loader.
Figure 2. Installation directoryreptile_cmd is responsible for transmitting commands to the Reptile rootkit, and it communicates with the rootkit by specifying and executing the target to be concealed as an argument. The reverse shell malware, reptile_shell, is capable of receiving command line arguments and is executed by the Reptile rootkit.
If the option to attempt a direct connection to the C&C server during the installation process is specified, the command is assigned to the /reptile/reptile_start script file. The Reptile rootkit operates the reverse shell by executing the mentioned script file after loading the kernel module. Furthermore, it can also execute the reverse shell and transmit the decrypted C&C server address if an address is received through the Port Knocking method.
1.2. Analysis of the Reptile Rootkit
The reptile created in the /reptile/ directory is not a kernel module but a user mode application. When the loader is executed, it decrypts the Reptile kernel module contained within the data section and then loads it into the memory using the init_module() function. Additionally, the algorithm used for encryption and decryption is also used when decrypting the Magic Packet later on. The key value is generated using a random value during the build process, resulting in each generated file having a different value.
Figure 3. Encryption function used in ReptileThe loaded Reptile is a kernel module packed using another open-source tool called kmatryoshka. [5] kmatryoshka is a Linux kernel module-based packer that is responsible for decrypting the original kernel module, which exists in an encrypted form. It then utilizes the sys_init_module() function to load it. As such, the original Reptile rootkit exists in a packed form within both user-mode and kernel-mode.
Figure 4. kmatryoshka routine1.2.1. Analysis of Concealment Feature
Reptile uses a Linux kernel function hooking engine called KHOOK to hook on kernel functions. [6] For example, it hooks the ip_rcv() kernel function to use the Port Knocking method. By doing so, it can monitor the packets it receives.
When delivering commands to the rootkit, Reptile utilizes reptile_cmd, which sends ioctl to the Reptile kernel module. The inet_ioctl() kernel function is hooked in order to monitor this ioctl. Among the data that is sent to ioctl, cmd represents the command number. Like the process concealing command, if additional data such as the PID is required, the argv variable of the control structure is used to transmit the data. During the command delivery process, AUTH and HTUA are random values. Reptile monitors the ioctl and performs corresponding actions when a match is found.
Figure 5. Transmission of ioctl| Number | Command | Description |
|---|---|---|
| 0 | hide / show | Hides or shows itself and files |
| 1 | hide / show | Hides or shows processes |
| 2 | file-tampering | Hides file contents |
| 3 | root | Grants root privilege |
| 4 | conn hide | Hides network communication |
| 5 | conn show | Hides or shows network communications |
Aside from the concealment and Port Knocking features, Reptile provides a feature where the “root” command can be used to give the current user root privileges. It also supports persistence through Udev. The following rules file is created in the /lib/udev/rules.d/ directory and the copied path is designated to ensure that it will be executed even after a reboot.
Figure 6. Created udev rules fileA. File and Directory Concealment
The Reptile rootkit can hide or show files and directories based on the “hide” and “show” commands. The targets to be hidden are paths that contain the specified string during the build. To achieve this, it hooks multiple kernel functions including fillonedir(), filldir(), and filldir64(). If the string of the concealment target is present in the path name, the hooking function returns “ENOENT” which is the “no such file or directory” error.
Figure 7. Concealment of files and directoriesB. Self Concealment
The “hide” and “show” commands support concealment for not only files and directories, but also for the Reptile kernel module itself. When the “hide” command is received, the current module is removed from the module list. Accordingly, using the lsmod command will not show the currently installed Reptile kernel module.
C. Process Concealment
When a PID is given along with the “hide” or “show” command, the process of the PID is concealed. There are four main methods used for process concealment. One involves hooking the find_task_by_vpid() function to return NULL for the concealment target’s process, and another involves hooking the vfs_statx() function to return an “EINVAL” (Invalid argument) error. Additionally, the find_task_by_vpid() function is used in system calls like getsid() and getpgid().
Furthermore, hooking next_tgid() makes it so that the concealment target’s process is skipped, making it invisible in the /proc/ list. Lastly, for the sys_kill and __x64_sys_kill system calls, an “ESRCH” (No such process) error is returned, making termination impossible. Aside from these, the load_elf_binary() function is hooked and processes that have the path of reptile_shell are hidden.
D. TCP/UDP Concealment
If the “conn” command and the concealment target’s IP address are transmitted as an argument, the TCP/UDP network communication can be concealed. The tcp4_seq_show() and udp4_seq_show() functions are hooked for this purpose.
E. File Content Concealment
Reptile provides a file tampering feature, which allows the contents of a file to be hidden. When the tags designated during the build process, like those shown below, are added to the file content, the strings between these tags are concealed. By default, the tags “#<reptile>” and “#</reptile>” can be used. The command to activate this feature is “file-tampering”, and it involves hooking the vfs_read() function.
1.2.2. PORT KNOCKING
The Reptile rootkit supports the Port Knocking technique. After being installed on the infected system, instead of immediately connecting to the C&C server, it opens a certain port and waits until the threat actor sends a Magic Packet to the system, after which it begins to operate. The data received through the Magic Packet contains the C&C server address. Based on this, a reverse shell connects to the C&C server.
In Reptile’s defconfig file, there are basic configurations present. By default, the MAGIC_VALUE is set to “hax0r,” PASSWORD is set to “s3cr3t,” and SRCPORT is set to “666.”
Figure 8. deconfig fileThe Reptile rootkit on the infected system hooks a kernel function and monitors packets incoming through the TCP, UDP, and ICMP protocols. If a TCP or UDP packet is received, the source port is first checked. The “666” port that was designated in the above configuration file is the target.
Figure 9. Scan of SRCPORTThreat actors can use a client to transmit the Magic Packet to the infected system. To do this, they can first choose one of the protocols, TCP, UDP, or ICMP, to be used as part of the Port Knocking technique. They then have to designate the infected system’s IP address and configuration data set during the above creation of Reptile, which includes MAGIC_VALUE, PASSWORD, and SRCPORT. Afterward, when the run command is executed, Packet encrypts the data and transmits it to the infected system.
Figure 10. Reverse shell using Port KnockingIf Reptile, which is listening on port 666, receives a packet through this port, it scans the data in the received packet to check for the value “hax0r,” which is designated by MAGIC_VALUE and TOKEN. When the process reaches this point, Reptile decrypts the packet and obtains the address and port number of the C&C server. It then uses these values as arguments to execute reptile_shell, which is a reverse shell.
Figure 11. Scan of MAGIC_VALUE
1.3. Reverse Shell
The reverse shell executed by the Reptile rootkit connects to the C&C server based on the received address and provides shell access. Additionally, the reverse shell is executed with the argument “s3cr3t”, which is specified as PASSWORD in the configuration data. This PASSWORD serves as the session key for communication with the listener that is waiting on the C&C server.
Reverse shell is a command line tool that operates based on the provided arguments, and it can be executed in two different ways, depending on the conditions. The first method is the Port Knocking technique covered above. The second method involves executing during the installation process of the Reptile rootkit kernel module.
Figure 12. Argument structure of reptile_shellAfter installation, the Reptile rootkit executes the startup script named reptile_start during the initialization process. This can contain numerous commands, a notable one being the command to execute reverse shells.
Figure 13. The make process and the created reptile_start script fileThe reverse shell of Reptile is based on TinySHell, an open-source Linux backdoor. Rekoobe is a backdoor malware based on TinySHell and is known to be predominantly used by Chinese threat groups. [7] Additionally, according to a report from Avast, the Syslogk rootkit also supports the Port Knocking method triggered by a Magic Packet. It also utilizes a customized version of TinySHell, known as Rekoobe, as a backdoor. Based on these similarities, it is speculated that the Syslogk threat actor might have adopted the structure of Reptile in their malware.
When compared to TinySHell, Reptile’s reverse shell shows a remarkable similarity, with most of the code being identical along with the supported commands. In particular, the use of the HMAC SHA1 algorithm and AES-128 key to encrypt the communication data with the C&C server and the data used for integrity verification during the communication process are also the same.
Figure 14. Comparison between TinySHell (left) and Reptile reverse shell (right) routinesSpecifically, the Reptile reverse shell supports a delay command in addition to file download/upload and command execution. Moreover, it includes a built-in feature to send concealment commands to the Reptile rootkit via ioctl, effectively hiding communications with the C&C server.
2. Cases of Attacks
2.1. VirusTotal Hunting
Due to it being an open-source malware that is publicly available on GitHub, Reptile has been utilized by a diverse range of threat actors over time. Even if the recent zero-day vulnerability attack case on Fortinet products by a China-based threat group, which was reported on by Mandiant, [8] is excluded, the periodic uploads of Reptile rootkit malware on the VirusTotal platform can still be observed.
While it is not certain whether they were used in actual attacks, numerous Reptile rootkits have been regularly uploaded to VirusTotal over the past few years. In this section, the configuration data from a portion of these Reptile samples were extracted and categorized. When inspecting the vermagic of the kernel modules, a notable characteristic is that most of them specifically target RHEL or CentOS Linux, either for attacking or testing purposes.
| Date | Name | Port | MAGIC_VALUE | PASSWORD | Location | vermagic |
|---|---|---|---|---|---|---|
| 2020.05.22 | rxp.ko | 666 | smoke | smoker666 | /rxp/ | 2.6.32-696.18.7.el6.x86_64 |
| 2021.06.05 | falc0n.ko | 41302 | 7313F4lc0n4710n | F4lc0nFly1n9d00r | /usr/falc0n/ | 3.10.0-1127.10.1.el7.x86_64 |
| 2022.04.27 | N/A | 2307 | hA30r | x5s3rt | /opttest/ | 3.10.0-1160.59.1.el7.x86_64 |
| 2022.11.21 | myshell.ko | 666 | xiaofangzi | xiaofangzi | /myshell/ | 2.6.32-431.el6.x86_64 |
2.2. Attack Cases in Korea
Reptile has been used in past attacks against Korean companies. The initial method of infiltration remains unidentified, but upon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic configuration to be ascertained.
In this particular attack case, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is a malware strain that uses the ICMP protocol to provide the threat actor with a shell. Typically, reverse shells or bind shells use protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by these communication protocols.
2.2.1. Analysis of Reptile
The malware is presumed to be installed in the “/etc/intel_audio/” directory, and the threat actor used “intel_audio” as their keyword instead of “reptile”.
Figure 15. intel_audio_start scriptFurthermore, the absence of any command lines to execute the reverse shell in the intel_audio_start file suggests that the reverse shell is likely to be used through the Port Knocking method. Alternatively, the threat actor could have used the bind shell, ISH, which will be covered later. Aside from these, the threat actor activated the file-tampering feature.
Next, upon examining the rc.local autorun script, it is evident that a command to ensure persistence exists between the tags “#<intel_audio>” and “#</intel_audio>”, which have been marked for concealment with the file-tampering feature. A notable point is the fact that the threat actor used Reptile in the form of a kernel module rather than a loader. As a result, they load “/etc/intel_audio/intel_audio.ko” by manually inputting the insmod command.
Figure 16. Autorun scrip within rc.localIntel_audio.ko is a kernel module packed with kmatryoshka before being packed by a loader. Upon inspecting the vermagic of the kernel module, “3.10.0-514.el7.x86_64,” it is estimated that the infected system was likely Red Hat or a CentOS-based Linux system.
The extracted rootkit contains various hard-coded configuration data. For example, in the reptile_init() function, the path name of the startup script file, “/etc/intel_audio/intel_audio_start,” was identified. A notable characteristic is that the threat actor set the MAGIC_VALUE and PASSWORD strings to glibc-related strings to disguise it as a normal program.
Figure 17. reptile_init() function| Item | Data |
|---|---|
| Installation path | /etc/intel_audio/intel_audio.ko |
| Port number | 5214 |
| MAGIC_VALUE | “glibc_0.1.5.so” |
| PASSWORD | “glibc_0.1.6.so” |
| Startup script path | /etc/intel_audio/intel_audio_start |
| Reverse shell path | /etc/intel_audio/intel_audio_reverse |
| vermagic | 3.10.0-514.el7.x86_64 |
2.2.2. Analysis of ICMP SHELL
The file executed and targeted to be concealed in the “rc.local” autorun script, located at “/etc/intel_audio/gvfs-gdb-volume-monitor,” is an ICMP Shell known as ISH. ISH consists of the server module ishd and the client module ish. The “gvfs-gdb-volume-monitor” file, operating as ishd, is executed by the Reptile rootkit and kept in a listening state. It is presumed that when the attacker establishes a connection using ish, the ICMP Shell is provided. The command line option identified in “gvfs-gdb-volume-monitor” is the same as ishd.
Figure 18. Main routine of ishdAdditionally, when the threat actor created the ishd malware, they opted not to use the source code as-is. Instead, they made modifications to disguise it as a normal program so that it could avoid file detection. In the following figure, the left side displays the usage() function identified in the original ishd source code, while the right side shows the usage() function in “gvfs-gdb-volume-monitor. This allows the malware to be perceived as a normal program instead of a bind shell since it outputs the string “ICMP Debug Tool” when executed without any specific arguments.
Figure 19. Modified output string
3. Similarities to Mélofée
ExaTrack conducted an analysis of the malware strains that have recently been targeting Linux servers and named them Mélofée. Based on the malware and infrastructure used in the attacks, they identified connections to the Winnti (APT41) threat group, which operates from China. [9]
The threat actor also used the Reptile rootkit during their attack process, and a notable characteristic was the installation of the rootkit in the path name “/etc/intel_audio/intel_audio.ko”. For reference, the path “/etc/intel_audio/intel_audio.ko” is identical to the installation path of the Reptile rootkit in the previously mentioned Linux server attack case that targeted Korean companies.
The use of the Reptile rootkit in the attack process, the identical installation path, and the direct installation of the kernel module through the “insmod” command instead of the conventional methods provided by Reptile are common factors between these two attack cases.
Figure 20. rc.modules file created by MéloféeHowever, there are differences as well. In the Mélofée attack case, the Reptile used had only the file concealment feature activated, and the hidden paths were hardcoded to two locations: “intel_audio” and “rc.modules.”
Figure 21. Hard-coded path to concealment targetDue to the limited available information in the Korean attack case, aside from the malware, there is a limit to how much information can be gathered. However, it is worth noting that the keyword “intel_audio”, though only used to disguise itself as a normal kernel module path, is an uncommon string and stands out as a distinctive characteristic in both attack cases.
4. Conclusion
Reptile is a Linux kernel mode rootkit malware that provides a concealment feature for files, directories, processes, and network communications. Due to being open-source, Reptile can be easily utilized by various threat actors, which has led to numerous attack cases being discovered. Considering the nature of rootkits, they are often used in conjunction with other malware. However, Reptile itself also provides a reverse shell, making systems with Reptile installed susceptible to being hijacked by threat actors.
To prevent such security threats, systems must be checked for vulnerable configurations and relevant systems must always be kept up to date to protect them from attacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.
AhnLab’s anti-malware solution, V3, detects and blocks these malware strains with the following detection names.
File Detection
– Trojan/Script.Config (2023.07.20.03)
– Rootkit/Linux.Reptile.644496 (2020.05.31.00)
– Trojan/Linux.Reptile.10416 (2020.05.31.00)
– Trojan/Linux.Rvshell.55784 (2020.05.31.00)
– Backdoor/Linux.Ishell.10576 (2020.05.31.00)
– Rootkit/Linux.Reptile.560980 (2023.07.18.00)
– Rootkit/Linux.Reptile.802168 (2023.07.18.00)
– Rootkit/Linux.Reptile.799432 (2023.07.18.00)
– Rootkit/Linux.Reptile.569740 (2023.07.18.00)
IOC
MD5
– 1957e405e7326bd2c91d20da1599d18e: Startup script (intel_audio_start)
– d1abb8c012cc8864dcc109b5a15003ac: Reptile Rootkit (intel_audio.ko)
– f8247453077dd6c5c1471edd01733d7f: Reptile Cmd (intel_audio_cmd)
– cb61b3624885deed6b2181b15db86f4d: Reptile Reverse Shell (intel_audio_reverse)
– c3c332627e68ce7673ca6f0d273b282e: ICMP Shell (gvfs-gdb-volume-monitor)
– 246c5bec21c0a87657786d5d9b53fe38: Reptile rootkit (rxp.ko)
– bb2a0bac5451f8acb229d17c97891eaf: Reptile rootkit (falc0n.ko)
– 977bb7fa58e6dfe80f4bea1a04900276: Reptile rootkit (N/A)
– 5b788feef374bbac8a572adaf1da3d38: Reptile rootkit (myshell.ko)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Reptile Malware Targeting Linux Systems appeared first on ASEC BLOG.
Article Link: Reptile Malware Targeting Linux Systems - ASEC BLOG