Threat Research

Reptile Malware Targeting Linux Systems – ASEC BLOG

Securonix

Keypoints

  • Reptile is a Linux kernel rootkit with concealment for files, directories, processes, and network communications, plus a built-in reverse shell.
  • It decrypts and loads a kernel module via a loader and kmatryoshka, meaning the rootkit exists in packed form in both user-mode and kernel-mode.
  • Port Knocking triggers a reverse shell by receiving a Magic Packet containing the C2 address, rather than immediate connection after infection.
  • Concealment is implemented through a kernel-hooking engine (KHOOK) and ioctl-based command delivery to hide or reveal targets like files, processes, and network activity.
  • Persistence is achieved via Udev rules and startup scripts (rc.local-style), with commands and startup paths embedded in configuration data.
  • Real-world cases include Korean attacks and links to Mélofée/Winnti, plus ICMP-based ISH shells; similarities with Syslogk are noted.

MITRE Techniques

  • [T1564] Hide Artifacts – Reptile hides or shows files, directories, processes, and network communications using kernel hooks. “The Reptile rootkit can hide or show files and directories based on the ‘hide’ and ‘show’ commands.”
  • [T1027] Obfuscated/Compressed Files and Information – Reptile uses encryption and a packer (kmatryoshka) to decrypt/load its kernel module. “The loaded Reptile is a kernel module packed using another open-source tool called kmatryoshka.”
  • [T1059] Command and Scripting Interpreter – Reptile exposes command-line interfaces (Listener and Packet) to issue commands and set up reverse shells. “Listener is a command line tool that operates by being given the port it has to listen to and its password.”
  • [T1547] Boot or Logon Autostart Execution – Persistence via Udev rules. “The following rules file is created in the /lib/udev/rules.d/ directory…”
  • [T1043] Commonly Used Port – Port-based triggering for the port-knocking flow (SRCPORT 666). “SRCPORT is set to ‘666’.”
  • [T1068] Privilege Escalation – The root command can grant root privileges to the current user. “The ‘root’ command can be used to give the current user root privileges.”

Indicators of Compromise

  • [MD5] context – 1957e405e7326bd2c91d20da1599d18e, d1abb8c012cc8864dcc109b5a15003ac
  • [File Name] context – intel_audio_start, intel_audio.ko
  • [File Name] context – intel_audio_cmd, intel_audio_reverse
  • [File Name] context – gvfs-gdb-volume-monitor
  • [Installation Path] context – /etc/intel_audio/intel_audio.ko, /etc/intel_audio/intel_audio_start

Read more: https://asec.ahnlab.com/en/55785/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint