Request a Demo
Rewterz
Rewterz Threat Advisory – ICS: Honeywell Maxpro VMS & NVR
January 22, 2020
Rewterz
Rewterz Threat Alert – Increased Activity of Emotet
January 23, 2020

Rewterz Threat Alert – Linux Rekoobe Malware is Back

Severity

High

Analysis Summary

Identification of new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015 is back.  The new malware samples have lower detection rates than their predecessors. This might be because of malware ceased its operation in 2016 after it was reported. In the current context, Rekoobe have resumed their operations utilizing a newer version of the malware.

Technical Analysis

the new variants are statically compiled ELF binaries while older variants were dynamically compiled.This undeniably implies that on a code level these two generations of the same malware are different. Since the compilation flags used by the GCC compiler differ between dynamically and statically linked code, the compiler will generate different code accordingly.

In previous Rekoobe variants, the malware would initially collect some preliminary configuration saved in disk, masquerading this configuration to be a shared object, However, in the new variants, the need for this configuration file has been completely removed, having hard-coded the subject artifacts previously dependent on the configuration file.

pasted image 0 7
pasted image 0 3

Impact

Download user files

Indicators of Compromise

Domain Name

huawel[.]site

Hostname

7xin[.]bitscan[.]win

IP

  • 119[.]3[.]22[.]174
  • 96[.]45[.]187[.]113

MD5

  • f34119a442651945d5efb33db8901d9b
  • 4b45e601d480124c38be06a706f7d8f4

SHA-256

  • 2e2dc0328f6c19b033bb19c24e59e354e519606958afb93fd8049d162a8e3edd
  • c9eb46d00e11acb354b518f725412b88c69cc511ec8d5bd3cb03c1740f8a2936
  • 7148ae1ab45e17889915100fdc203fe7941d8e9b946d44a3989ab8baeb6066e1
  • 80e5fec19843c32c6c3fc38aabdeb428c339b0dfce28023529144405b9c72b33
  • e63c2e35a41c51e33b246f5b60c5d1b8da0d8c50bf7ec592383b61818217e8d7
  • 1d0591049a65db6508a9517f72954541ef6b5a7fe9153c5edcb1bac1b70b991c

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.