Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Published on
Published on
Published on
Oct 24, 2024
Oct 24, 2024
Oct 24, 2024
Introduction
Rekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other adversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny SHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control configurations to hinder analysis and evade detection.
While researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into the hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used platform for worldwide charting, trading, and sharing financial insights traders use.
These suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared SSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.
Discovery of the Open Directory & Malware
We found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which exposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage, and their SHA-256 hashes are as follows:
-
10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf in Triage)
-
10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
![Open directory page for 27.124.45[.]146](https://app.hunt.io/images/blogs/rekoobe-backdoor/figure_1_open_directory_page_for_27_124_45_146.webp)
During dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open directory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.
In our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as "NoodRAT" and Trend Micro as "Noodle RAT." Specifically, the file changes its process name and copies itself to the /tmp/CCCCCCCC directory, where it executes from.
However, it's important to note that this alone does not definitively confirm that the binaries in this case are NoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional analysis would be required to make a conclusive attribution.
Figure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.
By clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as shown in Figure 1.
Infrastructure Analysis: TradingView Lookalike Domains and Hosting Connections
During our investigation into the IP address hosting the two backdoor files, we discovered several domains closely mimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of typosquatting attacks:
-
tradingviewlll[.]com
-
admin.tradingviewlll[.]com
-
tradingviewll[.]com
-
admin.tradingviewll[.].com
These minor changes, such as the addition of an extra "I" in tradingviewll[.]com and tradingviewlll[.]com, could easily be missed by users, making them practical for phishing or other social engineering operations.
Unfortunately, we could not capture any active web pages associated with these domains created earlier this year. According to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07 September this year. This means any web page may not have been fully deployed or is in a consistently inactive state.
While we can't be sure these domains were used in this campaign, they represent an interesting infrastructure overlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit financial platforms and their user base, as many of these systems rely on Linux.
Expanded Network Findings
Continuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys, suggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab, as shown in Figure 6.
The IPs include:
-
27.124.45[.]231
-
1.32.253[.]2
-
27.124.45[.]211
The SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all three was first observed by our scanners between late July and early August, and were last active on 04 October.
Like the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the same operational setup.
Among the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running the same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending in .146.
![Open directory contents for 27.124.45[.]211:9998](https://app.hunt.io/images/blogs/rekoobe-backdoor/figure_7_open_directory_contents_for_27_124_45_211_9998.webp)
Clicking on the button containing the three dots next to the files opens a menu for further actions, including searching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search confirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our scanners also detected the Yakit Security Tool on 27.124.45[.]211
We previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and includes features such as man-in-the-middle (MiTM) interception and web fuzzing.
Primarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside Rekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious purposes.
Combining these elements points to activity that merits further investigation to understand the potential risks involved fully.
Conclusion
In this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers linked via shared SSH keys.
Hunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By leveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker infrastructure.
Network Observables
| IP Address | ASN | Domain(s) | Host Country | Notes |
|---|---|---|---|---|
| 27.124.45[.]146 | CTG Server Limited | tradingviewlll[.]com admin.tradingviewlll[.]]com tradingviewll[.]com admin.tradingviewll[.]]com | HK | Open directory containing two (2) Rekoobe samples. |
| 1.32.253[.]2 | BGPNET Global ASN | 70332[.]club 390698[.]ru 953388[.]cc 836833[.]cc 734439[.]com 56204[.]sx 49246[.]sx 836833[.]cc 94783[.]club 734439[.]com 963388[.]cc | HK | IP seen sharing SSH keys with 27.124.45[.]146 from 2024-07-20 - 2024-10-04 |
| 27.124.45[.]231 | CTG Server Limited | N/A | HK | Shared SSH keys from 2024-07-31 - 2024-10-04 |
| 27.124.45[.]211 | CTG Server Limited | N/A | HK | Shared SSH keys from 2024-07-31 - 2024-10-04 |
File Information
| File Name | SHA-256 |
|---|---|
| 10-13-x64.bin | a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 |
| 10-13-x86.bin | 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b |
Introduction
Rekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other adversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny SHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control configurations to hinder analysis and evade detection.
While researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into the hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used platform for worldwide charting, trading, and sharing financial insights traders use.
These suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared SSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.
Discovery of the Open Directory & Malware
We found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which exposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage, and their SHA-256 hashes are as follows:
-
10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf in Triage)
-
10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
During dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open directory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.
In our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as "NoodRAT" and Trend Micro as "Noodle RAT." Specifically, the file changes its process name and copies itself to the /tmp/CCCCCCCC directory, where it executes from.
However, it's important to note that this alone does not definitively confirm that the binaries in this case are NoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional analysis would be required to make a conclusive attribution.
Figure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.
By clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as shown in Figure 1.
Infrastructure Analysis: TradingView Lookalike Domains and Hosting Connections
During our investigation into the IP address hosting the two backdoor files, we discovered several domains closely mimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of typosquatting attacks:
-
tradingviewlll[.]com
-
admin.tradingviewlll[.]com
-
tradingviewll[.]com
-
admin.tradingviewll[.].com
These minor changes, such as the addition of an extra "I" in tradingviewll[.]com and tradingviewlll[.]com, could easily be missed by users, making them practical for phishing or other social engineering operations.
Unfortunately, we could not capture any active web pages associated with these domains created earlier this year. According to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07 September this year. This means any web page may not have been fully deployed or is in a consistently inactive state.
While we can't be sure these domains were used in this campaign, they represent an interesting infrastructure overlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit financial platforms and their user base, as many of these systems rely on Linux.
Expanded Network Findings
Continuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys, suggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab, as shown in Figure 6.
The IPs include:
-
27.124.45[.]231
-
1.32.253[.]2
-
27.124.45[.]211
The SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all three was first observed by our scanners between late July and early August, and were last active on 04 October.
Like the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the same operational setup.
Among the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running the same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending in .146.
Clicking on the button containing the three dots next to the files opens a menu for further actions, including searching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search confirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our scanners also detected the Yakit Security Tool on 27.124.45[.]211
We previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and includes features such as man-in-the-middle (MiTM) interception and web fuzzing.
Primarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside Rekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious purposes.
Combining these elements points to activity that merits further investigation to understand the potential risks involved fully.
Conclusion
In this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers linked via shared SSH keys.
Hunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By leveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker infrastructure.
Network Observables
| IP Address | ASN | Domain(s) | Host Country | Notes |
|---|---|---|---|---|
| 27.124.45[.]146 | CTG Server Limited | tradingviewlll[.]com admin.tradingviewlll[.]]com tradingviewll[.]com admin.tradingviewll[.]]com | HK | Open directory containing two (2) Rekoobe samples. |
| 1.32.253[.]2 | BGPNET Global ASN | 70332[.]club 390698[.]ru 953388[.]cc 836833[.]cc 734439[.]com 56204[.]sx 49246[.]sx 836833[.]cc 94783[.]club 734439[.]com 963388[.]cc | HK | IP seen sharing SSH keys with 27.124.45[.]146 from 2024-07-20 - 2024-10-04 |
| 27.124.45[.]231 | CTG Server Limited | N/A | HK | Shared SSH keys from 2024-07-31 - 2024-10-04 |
| 27.124.45[.]211 | CTG Server Limited | N/A | HK | Shared SSH keys from 2024-07-31 - 2024-10-04 |
File Information
| File Name | SHA-256 |
|---|---|
| 10-13-x64.bin | a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 |
| 10-13-x86.bin | 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b |
Related Posts:
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.
Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.