APT31 and other threat actors have utilized Rekoobe, a backdoor based on Tiny SHell, to conduct cyber espionage and data theft, which has evolved to employ advanced encryption and unique C2 configurations, making it more resilient against detection and analysis.
The discovery of Rekoobe samples on a server hosting suspicious TradingView-like domains led to a deeper investigation into shared infrastructure, revealing potential links to a wider attack campaign involving open directories and compromised servers.
An open directory containing two malware binaries, identified as Rekoobe, was discovered on a server running Python 3.12.4 and SimpleHTTP 0.6. The binaries, targeting both x64 and x86 architectures, were exposed and accessible to the public.
During dynamic analysis, two binaries attempted to communicate with a specific IP address and port. One binary, na.elf, exhibited behavior similar to NoodRAT/Noodle RAT, including process name change and self-copying to a temporary directory for execution.
The ‘Rekoobe’ tag provides a convenient way for users to discover and access supplementary open directories containing Rekoobe samples.
The investigation uncovered typosquatting domains that are designed to mimic the legitimate TradingView platform, likely hosting malicious content, and pose a potential threat to unsuspecting users.
Typosquatted domains tradingviewll.com were identified, potentially targeting TradingView users. While no active webpages were found, their existence alongside a Linux backdoor suggests a possible attempt to exploit financial platforms and their user base.
Three IP addresses, 27.124.45.231, 1.32.253.2, and 27.124.45.211, were identified as potentially compromised due to their shared SSH keys with the target IP 27.124.45.146, which was discovered through analysis of the Hunt’s Association tab.
According to Hunt, three servers, likely part of the same Hong Kong-based infrastructure, were compromised between July and August, where the SSH key used for access was last active on October 4th.
27.124.45.211 hosts the same Rekoobe samples as 27.124.45.146, including an open directory with identical Python and SimpleHTTP versions. Both IPs share the Yakit Security Tool, suggesting a potential link between these servers.
Yakit, a cybersecurity toolset, when used alongside Rekoobe and typosquatting domains, could potentially be misused for malicious activities like network interception and website exploitation.
.webp?w=1200&resize=1200,0&ssl=1&description=APT31 and other threat actors have utilized Rekoobe, a backdoor based on Tiny SHell, to conduct cyber espionage and data theft.){kind=link}