.webp?w=1600&resize=1600,900&ssl=1 "Rekoobe Backdoor In Open Directories Presumably Attacking TradingView Customers")
APT31, utilizing the Rekoobe backdoor, has been noticed focusing on TradingView, a well-liked monetary platform, as researchers found malicious domains mimicking TradingView, suggesting a possible curiosity in compromising the platform’s person group.
By analyzing shared SSH keys, investigators recognized further infrastructure linked to this marketing campaign and one other open listing, highlighting the evolving ways employed by APT31 to evade detection and compromise delicate info.
An open listing at 27.124.45[.]146:9998 uncovered two Rekoobe malware binaries, 10-13-x64.bin and 10-13-x86.bin. Each binaries tried to speak with the identical IP deal with on port 12345.
Maximizing Cybersecurity ROI: Professional Suggestions for SME & MSP Leaders – Attend Free Webinar
The x64 binary, na.elf, exhibited habits much like NoodRAT/Noodle RAT, together with course of identify modifications and self-copying to the /tmp/CCCCCCCC listing. Whereas these similarities counsel potential attribution, additional evaluation is critical to substantiate.
An investigation into backdoor recordsdata revealed typosquatting domains mimicking the professional TradingView web site contained additional “l”s, rising the chance of unintended person visits.
Whereas no energetic webpages had been discovered, the Wayback Machine confirmed a 404 error for these domains in September 2024, suggesting a possible try to use monetary platforms and their Linux-based person base.
The existence of those domains along with the Rekoobe backdoor attracts consideration to the opportunity of an infrastructure overlap for the aim of particularly focusing on monetary establishments.
Three IP addresses (27.124.45[.]231, 1.32.253[.]2, and 27.124.45[.]211) had been discovered linked to 27.124.45[.]146 by way of shared SSH keys, that are seemingly a part of the identical operational setup and are hosted in Hong Kong and exhibit related traits, together with open directories with an identical Python and SimpleHTTP variations and Rekoobe-detected recordsdata.
In line with Hunt, 27.124.45[.]211 additionally hosts Yakit, a cybersecurity device that would doubtlessly be misused for malicious actions.
The presence of those instruments and the shared infrastructure warrant additional investigation to evaluate the potential dangers.
The invention of the Rekoobe backdoor in an open listing led to the identification of a broader malicious infrastructure, which incorporates lookalike domains mimicking TradingView and extra servers linked by way of shared SSH keys.
Key community observables embrace IP addresses, ASNs, domains, host international locations, and file hashes. A particular IP deal with (27.124.45.146) hosted the malicious recordsdata and shared SSH keys with different IPs, indicating potential coordinated exercise.
Are you from SOC/DFIR Groups? – Analyse Malware Recordsdata & Hyperlinks with ANY.RUN -> Strive for Free