Threat Research

a new alien malware in the Panda’s toolset targeting Linux hosts

Securonix

Researchers uncovered Mélofée, a Linux-targeted implant with a kernel-mode rootkit tied to Winnti and Chinese state-sponsored actors, featuring evolving capabilities such as a SelfForwardServer. The analysis traces multiple samples, their infrastructure, and links to other tools like HelloBot, ShadowPad, and PlugX, outlining persistence, C2 protocols, and targeted deployment. #Mélofée #Winnti #AlienReverse #HelloBot #ShadowPad #PlugX #CobaltStrike #StowAway #toDesk #EarthBerberoka #Azazel

Keypoints

  • Mélofée is a Linux implant family that includes a kernel-mode rootkit and a SelfForwardServer component, and is linked to Winnti and other Chinese state-sponsored groups.
  • Three samples (with version numbers 20220111, 20220308, and a late-2022 estimate) show code base sharing and evolving features: protocol changes, encryption shifts from RC4 to XOR, and rootkit inclusion.
  • The rootkit hooks file listing (fillonedir, filldir, filldir64) to hide files and hooks inet_ioctl for userland IOCTL communication, loaded via insmod.
  • Installation uses attacker-controlled servers, with a C++ installer deploying both rootkit and server components and persisting via /etc/rc.modules and boot scripts.
  • Communication protocols include TCP, TLS, and UDP (via KCP), with RC4-based encryption in the later sample and a detailed packet format for commands.
  • Infrastructure pivots link Mélofée to ShadowPad, Winnti, HelloBot, PlugX, Spark, Cobalt Strike, StowAway, and toDesk, indicating broader toolchains and cross-family activity in 2022.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure – “Attackers acquired servers for staging and command & control” – ‘Attackers acquired servers for staging and command & control’
  • [T5183.004] Acquire Infrastructure – Domains – “Attackers acquired domains” – ‘Attackers acquired domains’
  • [T1071.001] Web Protocols – “Attacker uses application layer protocols as C2” – ‘Attacker uses application layer protocols as C2’
  • [T1587.001] Develop Capabilities – Custom Malware – “Adversary develop custom malware to achieve its attacks” – ‘Adversary develop custom malware to achieve its attacks’
  • [T1037.004] Boot or Logon Autostart Execution – RC Scripts – “Adversary uses RC scripts as persistance” – ‘Adversary uses RC scripts as persistance’
  • [T1059.004] Unix Shell – “Attacker uses Unix shell commands and scripts” – ‘Attacker uses Unix shell commands and scripts’
  • [T1132.002] Data Encoding – Non-Standard Encoding – “Non standard encoding using KCP” – ‘Non standard encoding using KCP’
  • [T1573.001] Encrypted Channel – RC4 – “Attacker uses RC4 to encrypt its C2 traffic” – ‘Attacker uses RC4 to encrypt its C2 traffic’
  • [T1083] File and Directory Discovery – “File and directory discovery” – ‘File and directory discovery’
  • [T1592.002] OS Version Discovery – “Attacker discovers the installed version of the Linux distribution” – ‘Attacker discovers the installed version of the Linux distribution’
  • [T1564.001] Hide Artifacts – Rootkit – “Adversary hides the files using a rootkit” – ‘Adversary hides the files using a rootkit’
  • [T1562.003] Disable Windows Shell History – “Adversary disables the shell history when executing a command” – ‘Adversary disables the shell history when executing a command’
  • [T1070.004] Indicator Removal on Host – Remove Implant/Rootkit/Configuration – “Adversary can remove the implant, the rootkit and its configuratin from the system” – ‘Adversary can remove the implant, the rootkit and its configuratin from the system’
  • [T1599.001] Modify Firewall – “Adversary can modify thze firewall rules of the compromised host” – ‘Adversary can modify thze firewall rules of the compromised host’
  • [T1095] Non-Application Layer Protocols – UDP – “Adversary can use UDP as a communication layer” – ‘Adversary can use UDP as a communication layer’
  • [T1571] Non-Standard Port – “Adversary can use alternative ports for communication” – ‘Adversary can use alternative ports for communication’
  • [T1027.002] UPX – Packed with UPX – “HelloBot implants are packed using UPX with the configuration appended” – ‘HelloBot implants are packed using UPX with the configuration appended’
  • [T1027.007] Obfuscated/Compressed Files – Pack/Strip – “Adversary payloads are stripped” – ‘Adversary payloads are striped’
  • [T1588.001] Acquire Capabilities – Download Malware – “Adversary may buy or download malware” – ‘Adversary may buy or download malware’
  • [T1588.002] Acquire Capabilities – Download Tools – “Adversary may buy or download tools such as Cobalt Strike” – ‘Adversary may buy or download tools such as Cobalt Strike’
  • [T1057] Process Discovery – “Adversary may list the processes executing on the compromised host” – ‘Adversary may list the processes executing on the compromised host’
  • [T1572] Protocol Tunneling – “Adversary may tunnel network communications” – ‘Adversary may tunnel network communications’
  • [T1090] Proxy – “Adversary may use a connection proxy for accessing internal ressources” – ‘Adversary may use a connection proxy for accessing internal ressources’
  • [T1014] Rootkit – “Adversary uses a rootkit” – ‘Adversary uses a rootkit’
  • [T1608.001] Ingress Tool Transfer – Upload Malware – “Adversary uploads its malware on its infrastructure for deploying” – ‘Adversary uploads its malware on its infrastructure for deploying’
  • [T1608.002] Ingress Tool Transfer – Upload Tools – “Adversary uploads its tools on its infrastructure” – ‘Adversary uploads its tools on its infrastructure’
  • [T1082] System Information Discovery – “Adversary gets detailed information about the compromised host such as the operating system version” – ‘Adversary gets detailed information about the compromised host such as the operating system version’
  • [T1497.003] Time-Based Evasion – “Adversary uses time-based methods to avoid detection” – ‘Adversary uses time-based methods to avoid detection’

Indicators of Compromise

  • [Domain] – AlienReverse C&C domains – dgbyem.com, data-yuzefuji.com, and other domains listed in the article
  • [IP] – Melofoe C&C and staging hosts – 173.209.62.186, 173.209.62.187
  • [IP] – Melofoe C2/IPs – 156.67.208.192, 5.61.57.80, 173.209.62.188
  • [SHA256] – Installer/implant hashes – 3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3d, 758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0
  • [SHA256] – Rootkit/implant variants – a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a, 8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7
  • [Filename] – Installed paths – /etc/intel_audio/intel_audio.ko, /etc/intel_audio/audio

Read more: https://blog.exatrack.com/melofee/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint