Security firm ExaTrack says an unknown Chinese-sponsored hacker group is using new malware to attack Linux servers.
ExaTrack experts found samples of malware documented in early 2022, dubbed Mélofée.
One of the samples is designed to deliver a kernel-mode rootkit based on the open-source Reptile project. The rootkit has a limited set of features, mainly installing a webhook designed to hide the rootkit itself.
According to security researchers, the implant and rootkit are deployed using shell commands that download an installer and a binary package from a remote server. The installer takes a binary package as an argument and then extracts the rootkit as well as the server implant module, which is currently under active development.
Mélofée receives instructions from a remote server to manipulate files, create sockets, launch a shell and execute arbitrary commands, and establish persistence. It is worth noting that some Pupy RAT samples in the January campaign were hidden using the Reptile rootkit.
The ExaTrack team linked the Mélofée malware to China based on infrastructure overlaps with APT41 (Winnti) and Earth Berberoka (GamblingPuppet).
ExaTrack also discovered another implant, codenamed AlienReverse, which shares similar code to Mélofée and uses the publicly available tools EarthWorm and socks_proxy.
Experts note that Mélofée's capabilities are relatively simple, but can allow attackers to carry out their attacks undetected. The discovered implants were not widely known, which means that cybercriminals are likely to use malware only in attacks against certain targets.