Reptile Rootkit

Threat actors have been observed employing an open-source rootkit named Reptile to target Linux systems in South Korea. Unlike conventional rootkit malware that primarily focuses on concealing activities, Reptile takes an extra step by offering a reverse shell functionality. This enables evil-minded actors to gain direct control over compromised systems, thereby amplifying their ability to manipulate and exploit them.

In this context, a technique called 'port knocking' is employed by the malware. This involves the rootkit opening a specific port on an infected system and waiting in standby mode. Upon receiving a specific signal or 'magic packet' from the threat actors, a connection can be established between the compromised system and the Command-and-Control (C2, C&C) server of the attack operation. A rootkit is a form of threatening software deliberately engineered to deliver elevated, root-level access to a machine while concurrently obfuscating its presence. Notably, Reptile has been utilized in at least four distinct campaigns since the year 2022.

Several Harmful Campaigns Have Employed the Reptile Rootkit Already

In May 2022, researchers documented the first instance of the Reptile rootkit deployment, attributed to an intrusion set called Earth Berberoka, also recognized as GamblingPuppet. During this discovery, it was revealed that the rootkit was utilized to cloak connections and processes linked to a cross-platform Python Trojan, known as the Pupy RAT. These attacks were primarily directed at gambling websites situated in China.

In March 2023, a series of attacks were orchestrated by a suspected threat actor known as UNC3886, reportedly linked to China. These attacks capitalized on zero-day vulnerabilities to distribute an array of custom-made implants, alongside the Reptile rootkit.

Within the same month, the usage of a Linux-based malware named Mélofée, derived from Reptile, was attributed to a Chinese hacking group. Then, in June 2023, a cryptojacking campaign infected devices with a shell script backdoor to deliver the Reptile Rootkit, effectively concealing its child processes, files, and their content as part of its operations.

The Reptile Rootkit is Equipped with an Advanced Set of Threatening Capabilities

Upon closer analysis of Reptile, a distinctive mechanism emerges: a loader component that operates in tandem with a tool termed kmatryoshka. This loader is accountable for decrypting and loading the rootkit's kernel module into the system's memory. Subsequently, the loader initiates the opening of a designated port, entering a state of readiness for an attacker to send a special signal, referred to as a magic packet, to the host using communication protocols like TCP, UDP or ICMP.

The data encapsulated within the magic packet contains critical information—the address of the C2 server. Utilizing this information, a reverse shell is established, connecting to the C&C server. This technique of triggering malicious activities via magic packets has been previously noted in another rootkit named Syslogk. In the same vein, a similar attack scenario involving the Reptile rootkit was detected in South Korea. The attack displayed several tactical resemblances to Mélofée.

In summary, Reptile functions as a Linux kernel mode rootkit malware with a primary function of concealing files, directories, processes, and network communications. Nevertheless, it also presents a distinctive capability: the provision of a reverse shell. This additional trait renders systems harboring the Reptile Rootkit potentially vulnerable to hijacking by threat actors.