Cybersecurity experts have recently uncovered a concerning trend in South Korea, where threat actors are actively deploying an open-source Rootkit dubbed “Reptile” to target Linux systems.

This Malware is not a run-of-the-mill rootkit; it takes things up a notch by offering a reverse shell, granting attackers convenient access to compromised systems. The AhnLab Security Emergency Response Center (ASEC) issued a report this week highlighting the dangers posed by Reptile.

The modus operandi of this sophisticated malware involves a technique known as “port knocking.” Once Reptile infects a system, it listens on standby mode, awaiting a specific magic packet from the threat actor.

Upon receiving this packet, the malware establishes a connection with the command-and-control (C&C) server, enabling the attacker to take complete control of the compromised system.

Reptile’s presence first came to light in May 2022 when Trend Micro reported its association with the intrusion set called Earth Berberoka, also known as GamblingPuppet.

This group targeted gambling sites in China, using Reptile to obscure connections and processes related to the notorious cross-platform Python trojan, Pupy RAT. Since then, at least four different campaigns have been identified utilizing Reptile.

In March 2023, Google-owned Mandiant exposed attacks carried out by a suspected China-linked threat actor named UNC3886, who leveraged zero-day vulnerabilities in Fortinet appliances alongside Reptile.

Chinese hacking groups were also implicated in the use of Reptile-based Linux malware, with ExaTrack revealing a strain called Mélofée operating in the same month.

Most recently, a cryptojacking operation uncovered by Microsoft utilized Reptile through a shell script backdoor, making its malicious activities harder to detect.

In a deeper analysis of Reptile, experts found that the rootkit employs a loader with a tool called kmatryoshka to decrypt and load its kernel module into memory. Subsequently, the malware opens a specific port, awaiting the magic packet to activate the reverse shell, which connects to the C&C server, giving full control to the attacker.

It’s important to note that the use of magic packets to trigger malicious activities was previously observed in another rootkit known as Syslogk, as documented by Avast last year.

As Reptile continues to pose a serious threat to Linux systems, security firms in South Korea have already detected attack cases involving this stealthy rootkit, which bears tactical similarities to Mélofée.

This situation calls for heightened vigilance and proactive measures to safeguard vulnerable systems against Reptile’s intrusion.