Melofee Malware

The malware dubbed Melofee has been discovered to target Linux servers. This previously unknown malware is deployed accompanied by a kernel mode rootkit and is installed on the breached device using shell commands, similar to other Linux rootkits employed by the Chinese cyberespionage group Winnti. The Melofee samples identified by the infosec researchers were likely created in April/May 2022 and share a common code base.

However, the different versions of the malware show minor differences in communication protocol, encryption, and functionality. The latest version of the malware contains a kernel mode rootkit, which is a modified version of an open-source project called Reptile. The Melofee rootkit has limited functionality, such as installing a hook to hide itself and another one to ensure communication with the userland component, but that makes it a stealthier threat. Details about Melofee were released by a French cybersecurity firm.

The Infection Chain of the Melofee Rootkit

The infection chain of this malware involves several steps, which begin with the execution of shell commands to fetch an installer as well as a custom binary from an attacker-controlled server. The installer, which is written in C++, is responsible for deploying both the rootkit and the server implant, ensuring that both are executed at boot time. Once installed, the rootkit and the implant work together to remain hidden from detection and persist across reboots.

The implant itself has several capabilities, including the ability to terminate its process and remove persistence, update itself and restart, create a new socket for interaction, collect system information, read and write files, launch a shell, and manage directories. This makes it a powerful tool for attackers to use in order to gain access to and control over a victim's system.

To communicate with the Command-and-Control (C&C) server, the Melofee malware supports TCP communication using a custom packet format. It can also use a TLS encrypted channel to exchange data with the C&C server, providing an additional layer of security to the communication. Additionally, the malware can send data using the KCP protocol, expanding the range of possible communication methods.

The Winnti Group is Believed to Have been Active for Decades

Winnti, also known by several aliases such as APT41, Blackfly, Barium, Bronze Atlas, Double Dragon, Wicked Spider and Wicked Panda, is a notorious hacking group believed to be sponsored by the Chinese government. The group has been actively launching cyber espionage and financially motivated attacks since at least 2007. The Winnti group has been responsible for several high-profile attacks against organizations in various sectors, including healthcare, gaming, and technology.

Recently, analysis of the Melofee infrastructure has revealed connections with several other hacking groups and their command-and-control (C&C) servers. These groups include ShadowPad, Winnti, and HelloBot, all of which have been responsible for various attacks in the past. Additionally, the Melofee infrastructure has also been linked to several domains that have