Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform, as researchers discovered malicious domains mimicking TradingView, suggesting a potential interest in compromising the platform’s user community. 

By analyzing shared SSH keys, investigators identified additional infrastructure linked to this campaign and another open directory, highlighting the evolving tactics employed by APT31 to evade detection and compromise sensitive information.

An open directory at 27.124.45[.]146:9998 exposed two Rekoobe malware binaries, 10-13-x64.bin and 10-13-x86.bin. Both binaries attempted to communicate with the same IP address on port 12345.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

The x64 binary, na.elf, exhibited behavior similar to NoodRAT/Noodle RAT, including process name changes and self-copying to the /tmp/CCCCCCCC directory. While these similarities suggest potential attribution, further analysis is necessary to confirm.

An investigation into backdoor files revealed typosquatting domains mimicking the legitimate TradingView website contained extra “l”s, increasing the risk of accidental user visits. 

While no active webpages were found, the Wayback Machine showed a 404 error for these domains in September 2024, suggesting a potential attempt to exploit financial platforms and their Linux-based user base. 

The existence of these domains in conjunction with the Rekoobe backdoor draws attention to the possibility of an infrastructure overlap for the purpose of specifically targeting financial institutions. 

Three IP addresses (27.124.45[.]231, 1.32.253[.]2, and 27.124.45[.]211) were found linked to 27.124.45[.]146 through shared SSH keys, which are likely part of the same operational setup and are hosted in Hong Kong and exhibit similar characteristics, including open directories with identical Python and SimpleHTTP versions and Rekoobe-detected files. 

According to Hunt, 27.124.45[.]211 also hosts Yakit, a cybersecurity tool that could potentially be misused for malicious activities.

The presence of these tools and the shared infrastructure warrant further investigation to assess the potential risks. 

The discovery of the Rekoobe backdoor in an open directory led to the identification of a broader malicious infrastructure, which includes lookalike domains mimicking TradingView and additional servers linked through shared SSH keys. 

Key network observables include IP addresses, ASNs, domains, host countries, and file hashes. A specific IP address (27.124.45.146) hosted the malicious files and shared SSH keys with other IPs, indicating potential coordinated activity.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free