Threat Research: Multiple Chinese Threat Actors Using New Mélofée Malware

Summary

Mélofée, a new malware family, was recently discovered being used by the Chinese state-sponsored hacking groups Winnti Advanced Persistent Threat (APT) group, and Earth Berberoka targeting Linux servers. There are three different samples of the malware being circulated. All three versions of the malware share a common code base that uses shell commands to download the rootkit and the main implant from an attacker-controlled server. However, their communication protocols and encryption methods are still in development. The malware enables threat actors to establish a connection to a remote server, receive commands to carry out different operations, launch a shell, create sockets, and execute arbitrary commands.

Background

Winnti APT and Earth Berberoka are threat actors that are state sponsored by China and are affiliated with Chinese intelligence services. These threat actors have previously targeted multiple industries and political organizations in the United States, China, Japan, and South Korea. They primarily act to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services. Earth Berberoka is assessed to be a means of financing cyber operations for other Chinese state sponsored threat actors. Whereas Winnti APT group is believed to be associated with the Axiom, APT 17, and Mirage threat actors. These cyber actors share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites.

Attack Pattern

The process of the threat actor gaining initial access to the system is unknown. The malware is designed to drop a kernel-mode rootkit embedded with a hook designed to hide the malware operations. In addition to the rootkit being deployed on the victim’s system, an implant written in C++ is also installed using shell commands. These commands download the installer and a custom binary package from a remote server, at which point the threat actor can extract the rootkit and the implant establishing a backdoor.

Targeted Technology

Linux Server OS, MS Exchange Email, and Windows Endpoint OS

Targeted Industries

Winniti Group targets a broad range of industries, including education, electronics and semiconductors, government, media and entertainment, retail and e-commerce, and telecom organizations. Earth Berberoka has mostly targeted gambling websites in China and is assessed to be a financial source of cyber operations for Chinese state sponsored actors.

Conclusion

The Mélofée malware family is yet another toolset added to the arsenal of the cluster of state-sponsored Chinese APT groups. The capabilities offered by Mélofée are relatively simple but may enable adversaries to conduct their attacks under the radar and provide state-sponsored actors with another means of targeting Linux systems. Threat actors now view Linux operating systems as prime targets, as they are used for critical areas of business. Currently, this implant is not commonly seen, leading analysts to believe that the threat actors are likely limiting its usage to high valued targets operating on Linux systems. Organizations should be aware of this shift in targeting Linux systems and establish standard security best practices.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: