New Stealth Malware Variant Targets Red Hat Systems
/ 3 min read
Quick take - A report from Qianxin’s X Lab has revealed a new variant of stealth malware targeting Red Hat 7.9 systems, identified as a Melofee backdoor linked to the Winnti group, which employs advanced evasion tactics and has been detected by Sandfly despite its zero detection coverage on VirusTotal.
Fast Facts
- A new variant of stealth malware, linked to the Winnti group and identified as a Melofee backdoor, targets Red Hat 7.9 and similar systems, showing zero detection on VirusTotal.
- The malware features an encrypted Loadable Kernel Module (LKM) rootkit that can hide processes, files, and its own presence, maintaining stealth and ongoing access to infected systems.
- Sandfly cybersecurity has successfully detected the malware’s activity, including a hidden kernel module named “kworkerx,” which is not visible through standard Linux commands.
- The rootkit creates a hidden process named “[md]” for communication, using tactics that trigger alerts for kernel thread masquerading.
- Experts recommend taking infected systems offline for analysis and rebuilding, as the malware’s stealth capabilities evade traditional detection methods; Sandfly offers support and a free trial of their agentless Linux security approach.
New Stealth Malware Variant Targets Red Hat 7.9 Systems
A recent report from Qianxin’s X Lab has unveiled a new variant of stealth malware targeting Red Hat 7.9 and similar systems. This malware, identified as a variant of the Melofee backdoor linked to the Winnti group, currently exhibits zero detection coverage on VirusTotal, indicating its advanced evasion tactics.
Detection and Capabilities
Despite the malware’s stealth capabilities, Sandfly, a cybersecurity company, has successfully detected its activity. The Melofee malware employs full stealth features, including an encrypted Loadable Kernel Module (LKM) rootkit based on the Reptile project. This encryption allows the rootkit to bypass traditional detection methods, such as signature scanning. Once activated, the rootkit can render the main process invisible and hide various system components, including processes, files, kernel module presence, and persistence mechanisms. This capability allows the malware to maintain stealth and ongoing access to the infected systems.
Sandfly has reported identifying suspicious activities associated with this malware, leading to alerts for users. Notably, a hidden kernel module named “kworkerx” has been detected, which is not visible through standard Linux commands like “lsmod.” The presence of this unsigned kernel module taints the Linux kernel, raising concerns about its legitimacy, as it may be either loading from a non-standard location or actively hiding itself.
Indicators of Infection
Sandfly’s drift detection feature is capable of identifying new kernel modules, including kworkerx, and can spot novel malware across various system components such as processes and kernel modules. After activation, the rootkit creates a hidden process named “[md],” which serves as the primary communication channel for the malware. The use of brackets in the process name is a known tactic in Linux malware to impersonate a kernel thread, triggering multiple alerts in Sandfly for kernel thread masquerading.
Indicators of infection include the presence of a dropper file located at “/tmp/lock_tmp1” and a malicious module directory at “/sys/module/kworkerx.” The malware utilizes crontab for persistence, among other potential mechanisms.
Recommendations
Experts advise against attempting to clean an infected system. Instead, it should be taken offline for root cause analysis and rebuilt after ensuring evidence preservation. The report concludes that the malware’s stealthy characteristics enable it to evade traditional detection methods. To assist users in identifying affected systems, Sandfly provides tactics detection and encourages users to reach out for support. Additionally, users are invited to try Sandfly’s agentless Linux security approach for free.
Original Source: Read the Full Article Here
