Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Published on

Published on

Published on

Oct 24, 2024

Oct 24, 2024

Oct 24, 2024

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
TABLE OF CONTENTS

Introduction

Rekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other adversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny SHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control configurations to hinder analysis and evade detection.

While researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into the hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used platform for worldwide charting, trading, and sharing financial insights traders use.

These suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared SSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.

Discovery of the Open Directory & Malware

We found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which exposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage, and their SHA-256 hashes are as follows:

  • 10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf in Triage)

  • 10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b

Open directory page for 27.124.45[.]146

During dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open directory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.

In our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as "NoodRAT" and Trend Micro as "Noodle RAT." Specifically, the file changes its process name and copies itself to the /tmp/CCCCCCCC directory, where it executes from.

However, it's important to note that this alone does not definitively confirm that the binaries in this case are NoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional analysis would be required to make a conclusive attribution.

Figure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.

Triage analysis of na.elf processes

By clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as shown in Figure 1.

Results of clicking the Rekoobe tag to find additional open directories hosting the malware

Infrastructure Analysis: TradingView Lookalike Domains and Hosting Connections

During our investigation into the IP address hosting the two backdoor files, we discovered several domains closely mimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of typosquatting attacks:

  • tradingviewlll[.]com

  • admin.tradingviewlll[.]com

  • tradingviewll[.]com

  • admin.tradingviewll[.].com

These minor changes, such as the addition of an extra "I" in tradingviewll[.]com and tradingviewlll[.]com, could easily be missed by users, making them practical for phishing or other social engineering operations.

Domain overview showing typosquatting domains targeting TradingView

Unfortunately, we could not capture any active web pages associated with these domains created earlier this year. According to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07 September this year. This means any web page may not have been fully deployed or is in a consistently inactive state.

Wayback machine results for tradingviewll.com

While we can't be sure these domains were used in this campaign, they represent an interesting infrastructure overlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit financial platforms and their user base, as many of these systems rely on Linux.

Expanded Network Findings 

Continuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys, suggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab, as shown in Figure 6.

The IPs include:

  • 27.124.45[.]231

  • 1.32.253[.]2

  • 27.124.45[.]211

The SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all three was first observed by our scanners between late July and early August, and were last active on 04 October.

Like the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the same operational setup.

The Associations Tab in Hunt displays associated IPs that can be pivoted to enhance investigations

Among the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running the same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending in .146.

Open directory contents for 27.124.45[.]211:9998

Clicking on the button containing the three dots next to the files opens a menu for further actions, including searching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search confirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our scanners also detected the Yakit Security Tool on 27.124.45[.]211

We previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and includes features such as man-in-the-middle (MiTM) interception and web fuzzing.

Primarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside Rekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious purposes.

Combining these elements points to activity that merits further investigation to understand the potential risks involved fully.

Results of SHA-256 search across all open directories for similar files

Conclusion

In this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers linked via shared SSH keys.

Hunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By leveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker infrastructure.

Network Observables

IP AddressASNDomain(s)Host CountryNotes
27.124.45[.]146CTG Server Limitedtradingviewlll[.]com
admin.tradingviewlll[.]]com
tradingviewll[.]com
admin.tradingviewll[.]]com
HKOpen directory containing two (2) Rekoobe samples.
1.32.253[.]2BGPNET Global ASN70332[.]club
390698[.]ru
953388[.]cc
836833[.]cc
734439[.]com
56204[.]sx
49246[.]sx
836833[.]cc
94783[.]club
734439[.]com
963388[.]cc
HKIP seen sharing SSH keys with 27.124.45[.]146 from 2024-07-20 - 2024-10-04
27.124.45[.]231CTG Server LimitedN/AHKShared SSH keys from 2024-07-31 - 2024-10-04
27.124.45[.]211CTG Server LimitedN/AHKShared SSH keys from 2024-07-31 - 2024-10-04

File Information

File NameSHA-256
10-13-x64.bina1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3
10-13-x86.bin28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
TABLE OF CONTENTS

Introduction

Rekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other adversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny SHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control configurations to hinder analysis and evade detection.

While researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into the hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used platform for worldwide charting, trading, and sharing financial insights traders use.

These suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared SSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.

Discovery of the Open Directory & Malware

We found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which exposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage, and their SHA-256 hashes are as follows:

  • 10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf in Triage)

  • 10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b

Open directory page for 27.124.45[.]146

During dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open directory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.

In our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as "NoodRAT" and Trend Micro as "Noodle RAT." Specifically, the file changes its process name and copies itself to the /tmp/CCCCCCCC directory, where it executes from.

However, it's important to note that this alone does not definitively confirm that the binaries in this case are NoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional analysis would be required to make a conclusive attribution.

Figure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.

Triage analysis of na.elf processes

By clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as shown in Figure 1.

Results of clicking the Rekoobe tag to find additional open directories hosting the malware

Infrastructure Analysis: TradingView Lookalike Domains and Hosting Connections

During our investigation into the IP address hosting the two backdoor files, we discovered several domains closely mimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of typosquatting attacks:

  • tradingviewlll[.]com

  • admin.tradingviewlll[.]com

  • tradingviewll[.]com

  • admin.tradingviewll[.].com

These minor changes, such as the addition of an extra "I" in tradingviewll[.]com and tradingviewlll[.]com, could easily be missed by users, making them practical for phishing or other social engineering operations.

Domain overview showing typosquatting domains targeting TradingView

Unfortunately, we could not capture any active web pages associated with these domains created earlier this year. According to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07 September this year. This means any web page may not have been fully deployed or is in a consistently inactive state.

Wayback machine results for tradingviewll.com

While we can't be sure these domains were used in this campaign, they represent an interesting infrastructure overlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit financial platforms and their user base, as many of these systems rely on Linux.

Expanded Network Findings 

Continuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys, suggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab, as shown in Figure 6.

The IPs include:

  • 27.124.45[.]231

  • 1.32.253[.]2

  • 27.124.45[.]211

The SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all three was first observed by our scanners between late July and early August, and were last active on 04 October.

Like the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the same operational setup.

The Associations Tab in Hunt displays associated IPs that can be pivoted to enhance investigations

Among the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running the same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending in .146.

Open directory contents for 27.124.45[.]211:9998

Clicking on the button containing the three dots next to the files opens a menu for further actions, including searching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search confirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our scanners also detected the Yakit Security Tool on 27.124.45[.]211

We previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and includes features such as man-in-the-middle (MiTM) interception and web fuzzing.

Primarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside Rekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious purposes.

Combining these elements points to activity that merits further investigation to understand the potential risks involved fully.

Results of SHA-256 search across all open directories for similar files

Conclusion

In this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers linked via shared SSH keys.

Hunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By leveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker infrastructure.

Network Observables

IP AddressASNDomain(s)Host CountryNotes
27.124.45[.]146CTG Server Limitedtradingviewlll[.]com
admin.tradingviewlll[.]]com
tradingviewll[.]com
admin.tradingviewll[.]]com
HKOpen directory containing two (2) Rekoobe samples.
1.32.253[.]2BGPNET Global ASN70332[.]club
390698[.]ru
953388[.]cc
836833[.]cc
734439[.]com
56204[.]sx
49246[.]sx
836833[.]cc
94783[.]club
734439[.]com
963388[.]cc
HKIP seen sharing SSH keys with 27.124.45[.]146 from 2024-07-20 - 2024-10-04
27.124.45[.]231CTG Server LimitedN/AHKShared SSH keys from 2024-07-31 - 2024-10-04
27.124.45[.]211CTG Server LimitedN/AHKShared SSH keys from 2024-07-31 - 2024-10-04

File Information

File NameSHA-256
10-13-x64.bina1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3
10-13-x86.bin28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b

Related Posts:

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.