15 March 2024

Hackers use Rekoobe Backdoor to Attack Linux Systems

According to a report dated 12 July 2023, a backdoor has become very popular with attackers targetingLinux systems and their environment. This backdoor is mainly used by Chinese actors such as APT 31.Although the first version of this backdoor was discovered in 2015, the AhnLab Security EmergencyResponse Centre (ASEC) has recently identified and analysed several variants of Rekoobe that activelytarget vulnerable Linux environments.In addition to this, Rekoobe, in ELF format, primarily targets Linux servers based on the followingsupported architectures: x86, x64 and SPARC. Rekoobe is derived from the open source program TinySHell, using its source code available on GitHub, and offers only essential and basic functionality.Instead of targeting systems with weak passwords, it mainly targets Linux servers that are notregularly updated or have poor configurations. To hide its identity, Rekoobe masquerades as "/bin/bash", mimicking a legitimate process and making it difficult for users to detect.