Monday, May 5, 2025
HomeCyber AttackHackers use Rekoobe Backdoor to Attack Linux Systems

Hackers use Rekoobe Backdoor to Attack Linux Systems

Published on

SIEM as a Service

Follow Us on Google News

Rekoobe is a notorious backdoor that primarily targets Linux environments, and it’s actively exploited by the threat actors, mainly a Chinese threat group, APT31.

This notorious backdoor was discovered in 2015 for the first time, while an updated version of it resurfaced in 2018 that was exploited by the threat actors in several attacks.

AhnLab Security Emergency Response Center (ASEC) recently identified and analyzed several Rekoobe variants actively targeting Linux environments that are vulnerable. 

- Advertisement - Google News

Apart from this, Rekoobe, in ELF format, primarily targets Linux servers based on its following supported architectures:-

  • x86
  • x64
  • SPARC

Rekoobe Backdoor to Attack Linux Systems

Rekoobe is derived from the open-source program Tiny SHell, utilizing its source code available on GitHub, and it offers essential and basic features only.

Apart from process name changing, it also boasts three additional features, and here they are mentioned below:-

  • Downloading
  • Uploading
  • Executing C&C server commands

While organizing the Rekoobe and similar variants is quite difficult due to their open-source roots.

Details on Rekoobe’s installation methods and specific Linux system targets remain limited. Linux server-targeting malware preys on unattended or outdated servers. 

Notably, Rekoobe has no proven instances of threat actors exploiting it to execute brute-force attacks across numerous Linux servers.

Rather than targeting the systems that have weak account credentials, it primarily targets the Linux servers that lack regular updates or have poor configurations.

Here below we have mentioned the analysis report of one of the Rekoobe malware samples that was reported in Korea:-

  • MD5: 8921942fb40a4d417700cfe37cce1ce7
  • C&C Server: resolv.ctmailer[.]net:80 (103.140.186.32)
  • Download URL: hxxp://103.140.186[.]32/mails

To hide its identity, Rekoobe disguises itself as “/bin/bash,” mimicking a legitimate process, due to which it becomes challenging for users to detect it. 

Implementation involves manipulating program arguments through the strcpy() function, a unique feature that is absent in the original codebase of Tiny SHell.

Altered process name (Source – AhnLab)

The lack of command-line options for C&C server address or password input distinguishes the Rekoobe from Tiny SHell. Since these options are missing, so, the C&C server address in the malware is hard-coded.

Tiny SHell and Rekoobe comparison (Source – AhnLab)

For AES-128 key generation, the Tiny SHell and Rekoobe leverage the HMAC SHA1 algorithm that ensures secure communication with the C&C server, since the key encrypts the communication data.

Initially, this Rekoobe variant establishes a connection to a hard-coded C&C server. However, other variations adopt a bind shell form, opening ports and waiting for the C&C server to connect. Here Tiny SHell supports both methods, due to which it becomes possible.

C&C communication in bind shell form (Source – AhnLab)

It’s believed there is a distinct builder tool that Rekoobe has that generates each malware instance with a threat actor-designated password for individual attacks.

Rekoobe Malware Samples Used Against Korea

Here below, we have mentioned all the Rekoobe malware samples that are based on the x64 architecture and used by the threat actors against Korea:-

  • java
  • rmicd(123)
  • mails
  • service

Recommendations

Here below we have mentioned all the recommendations offered by the security experts at AhnLab:-

  • Make sure to examine vulnerable configuration settings.
  • Ensure proper verification of the authentication credentials.
  • Always keep the systems up to date with the latest patch and updates.
  • Ensure that you have the latest version of V3 installed to safeguard against malware infections.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...