Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea – ASEC BLOG

MITRE Techniques

• [T1036] Masquerading – Disguises itself by changing its process name to “/bin/bash,” which matches the name of a normal process. (‘disguises itself by changing its process name to “/bin/bash”, which matches the name of a normal process.’)
• [T1573] Encrypted Channel – C2 communications are encrypted using AES-128 keys derived from HMAC-SHA1. (‘Both Tiny SHell and Rekoobe utilize the HMAC SHA1 algorithm to generate an AES-128 key. This key is then used to encrypt the communication data with the C&C server.’)
• [T1027] Obfuscated/Compressed Files and Information – Uses a hard-coded password and encryption for data handling in C2 communications. (‘aside from the two 0x14-byte IVs that are transmitted during the initialization process, a hard-coded password string, “0p;/9ol.”, is also used.’)
• [T1059.004] Unix Shell – Executes commands via a reverse shell, redirecting stdin/stdout to the C2 socket and running /bin/sh. (‘The reverse shell command also has a simple format of redirecting the standard input and output to the socket connected to the C&C server and executing /bin/sh.’)
• [T1105] Ingress Tool Transfer – Supports uploading and downloading files via C2 commands; 1-byte commands select actions like file upload or download. (‘three commands: file upload, file download, or reverse shell.’)