Saturday, December 7, 2024
HomeBackdoorRekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

Published on

SIEM as a Service

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform, as researchers discovered malicious domains mimicking TradingView, suggesting a potential interest in compromising the platform’s user community. 

By analyzing shared SSH keys, investigators identified additional infrastructure linked to this campaign and another open directory, highlighting the evolving tactics employed by APT31 to evade detection and compromise sensitive information.

An open directory at 27.124.45[.]146:9998 exposed two Rekoobe malware binaries, 10-13-x64.bin and 10-13-x86.bin. Both binaries attempted to communicate with the same IP address on port 12345.

- Advertisement - SIEM as a Service

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

 Open directory page for 27.124.45[.]146

The x64 binary, na.elf, exhibited behavior similar to NoodRAT/Noodle RAT, including process name changes and self-copying to the /tmp/CCCCCCCC directory. While these similarities suggest potential attribution, further analysis is necessary to confirm.

An investigation into backdoor files revealed typosquatting domains mimicking the legitimate TradingView website contained extra “l”s, increasing the risk of accidental user visits. 

While no active webpages were found, the Wayback Machine showed a 404 error for these domains in September 2024, suggesting a potential attempt to exploit financial platforms and their Linux-based user base. 

Wayback machine results for tradingviewll.com

The existence of these domains in conjunction with the Rekoobe backdoor draws attention to the possibility of an infrastructure overlap for the purpose of specifically targeting financial institutions. 

Three IP addresses (27.124.45[.]231, 1.32.253[.]2, and 27.124.45[.]211) were found linked to 27.124.45[.]146 through shared SSH keys, which are likely part of the same operational setup and are hosted in Hong Kong and exhibit similar characteristics, including open directories with identical Python and SimpleHTTP versions and Rekoobe-detected files. 

Open directory contents for 27.124.45[.]211:9998

According to Hunt, 27.124.45[.]211 also hosts Yakit, a cybersecurity tool that could potentially be misused for malicious activities.

The presence of these tools and the shared infrastructure warrant further investigation to assess the potential risks. 

The discovery of the Rekoobe backdoor in an open directory led to the identification of a broader malicious infrastructure, which includes lookalike domains mimicking TradingView and additional servers linked through shared SSH keys. 

Key network observables include IP addresses, ASNs, domains, host countries, and file hashes. A specific IP address (27.124.45.146) hosted the malicious files and shared SSH keys with other IPs, indicating potential coordinated activity.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Latest articles

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

Deloitte Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access...