Threat Research

Rekoobe Backdoor Found in Open Directory, Potentially Aiming at TradingView Users

Securonix

Rekoobe backdoor, linked to APT31 (Zirconium), was found in an open directory and tied to lookalike TradingView domains used in potential phishing. Discoveries also show shared SSH keys tying multiple IPs into a broader attacker infrastructure, with concerns about misuse of security tooling like Yakit Security Tool. #Rekoobe #APT31 #Zirconium #TradingView #SSHKeys #YakitSecurityTool

Keypoints

  • Rekoobe is a backdoor linked to APT31 (Zirconium).
  • Malware uses enhanced encryption and unique command-and-control configurations.
  • Two Rekoobe samples were discovered in an open directory.
  • Lookalike domains mimicking TradingView indicate potential phishing activity.
  • Shared SSH keys connect multiple IP addresses, indicating a coordinated infrastructure.
  • Yakit Security Tool’s presence raises concerns about potential misuse alongside Rekoobe.
  • Hunting open directories can reveal attacker infrastructure and expand visibility.

MITRE Techniques

  • [T1071] Command and Control – Use of unique command-and-control configurations to evade detection. Quote relevant content using bracket (β€˜Use of unique command-and-control configurations to evade detection.’)
  • [T1003] Credential Dumping – Potential use of shared SSH keys for lateral movement. Quote relevant content using bracket (β€˜Potential use of shared SSH keys for lateral movement.’)
  • [T1210] Exploitation of Remote Services – Malware attempts to communicate over specific ports. Quote relevant content using bracket (β€˜Malware attempts to communicate over specific ports.’)
  • [T1566] Phishing – Use of typosquatting domains for phishing attacks. Quote relevant content using bracket (β€˜Use of typosquatting domains for phishing attacks.’)

Indicators of Compromise

  • [IP Address] Open directory hosting infrastructure – 27.124.45[.]146, 27.124.45[.]211
  • [Domain] Typosquatting domains mimicking TradingView – tradingviewll[.]com, tradingviewlll[.]com
  • [File Name] Rekoobe binaries found in open directory – 10-13-x64.bin, 10-13-x86.bin
  • [SHA-256] Hashes of the binaries – a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3, 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
  • [SSH Key Fingerprint] Shared SSH key across multiple IPs – 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee

Read more: https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint