October 2, 2023

Researchers have spotted that threat actors that are using an open-source rootkit dubbed as Reptile in attacks aimed at systems in South Korea.

Reptile, an open-source kernel module rootkit that targets Linux systems, it also offers a reverse shell, which makes it ad a standout. The malware supports port knocking. It opens a specific port on an infected system and waits for a magic packet sent by the attackers to establish a C2 connection.

Researchers from Mandiant published a report about a campaign attributed to a China-linked APT group that used the Reptile rootkit and exploited the zero-day vulnerability tracked as CVE-2022-41328 persisted in Fortinet products.


Researchers from ExaTrack also detailed a campaign using the Mélofée malware and the Reptile rootkit. The researchers attributed the campaign to the China-linked cyberespionage group Winnti.

The Reptile malware uses a loader that is a kernel module packed using the open-source tool kmatryoshka that used to decrypt the rootkit and load its kernel module into memory. The kernel module opens a specific port and awaits the attacker communications.

Reptile relies on an engine called KHOOK to hook Linux kernel functions. The rootkit was employed in past attacks against South Korean companies.

The initial method of infiltration remains unidentified, but upon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic configuration to be ascertained.


In this campaign, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is a malware strain that uses the ICMP protocol to provide the threat actor with a shell.

The reverse shells or bind shells use protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by these communication protocols.

Researchers warn that Reptile can be easily utilized by various threat actors because its code is available as open-source. Threat actors can also customize the rootkit in future attacks and use it in conjunction with other malware

Indicators of Compromise

  • 1957e405e7326bd2c91d20da1599d18e
  • d1abb8c012cc8864dcc109b5a15003ac
  • f8247453077dd6c5c1471edd01733d7f
  • cb61b3624885deed6b2181b15db86f4d
  • c3c332627e68ce7673ca6f0d273b282e
  • 246c5bec21c0a87657786d5d9b53fe38
  • bb2a0bac5451f8acb229d17c97891eaf
  • 977bb7fa58e6dfe80f4bea1a04900276
  • 5b788feef374bbac8a572adaf1da3d38

This research was documented by researchers from Ahn Security Labs

Leave a Reply

%d bloggers like this: