{
	"id": "ed040913-82cb-4f50-b70b-9b28efdc9086",
	"created_at": "2026-04-06T00:06:20.56105Z",
	"updated_at": "2026-04-10T03:35:46.059107Z",
	"deleted_at": null,
	"sha1_hash": "646dfe781f28f84423f86961fcd6b99a63dbdd37",
	"title": "Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1594980,
	"plain_text": "Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux\r\nSystems in Korea\r\nBy ATCP\r\nPublished: 2023-07-02 · Archived: 2026-04-05 21:40:15 UTC\r\nRekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response\r\nCenter (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby\r\nshare its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to\r\ntarget Korean companies.\r\n1. Overview\r\nRekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1] and there is a case from 2018\r\nwhere an updated version of it was used in attacks. [2] Based on its supported architectures (x86, x64, and SPARC),\r\nRekoobe in ELF format is primarily believed to target Linux servers.\r\nKnown to have been created based on the source code of the open-source program Tiny SHell, which is publicly available\r\non GitHub, Rekoobe supports basic features as the name “Tiny” implies. [3] Aside from subsidiary features such as process\r\nname changing, it has only three other features. It can download, upload, and execute commands from a C\u0026C server. Due to\r\nits open-source foundation, categorizing Rekoobe and similar variants can be challenging, but this post will analyze the\r\ngenerally known Rekoobe variants.\r\nThere is limited information available regarding how threat actors install Rekoobe on Linux systems and their specific\r\ntargets. However, Rekoobe is known for being a malware strain used by the Chinese threat group APT31. [4]\r\nGenerally, malware that target Linux servers focus on poorly managed servers or servers that are vulnerable due to not\r\nhaving been updated to the latest version. It should be noted that there have been no confirmed cases of threat actors using\r\nRekoobe to scan and launch brute-force attacks on multiple Linux servers.\r\nAs a result, it is suspected that Linux servers that are primarily vulnerable due to not performing regular updates or having\r\npoor configurations may be targeted, rather than systems with weak account credentials. Additionally, there have been\r\nreported cases of supply chain attacks where a threat actor targeted a popular WordPress plugin and installed Rekoobe to\r\ngain control over compromised systems. [5]\r\n2. Analysis of Rekoobe\r\nHere, we will analyze one of the Rekoobe malware samples reported in Korea.\r\nMD5: 8921942fb40a4d417700cfe37cce1ce7\r\nC\u0026C Server: resolv.ctmailer[.]net:80 (103.140.186.32)\r\nDownload URL: hxxp://103.140.186[.]32/mails\r\nRekoobe disguises itself by changing its process name to “/bin/bash”, which matches the name of a normal process. This\r\nmakes it difficult for users to detect its presence.  This is implemented by using the strcpy() function to change the\r\narguments given upon executing the program. Additionally, this particular feature is not present in the original Tiny SHell\r\ncodebase.\r\nFigure 1. Process name that has been changed\r\nAnother notable difference between Rekoobe and Tiny SHell is the absence of command-line options for receiving the C\u0026C\r\nserver address or password. Due to the lack of these options, the C\u0026C server address is hard-coded in the malware.\r\nArgument Feature\r\nP C\u0026C URL or bind port number\r\nS Change password\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 1 of 6\n\nArgument Feature\r\nC C\u0026C server address\r\ndefault Help message\r\nTable 1. Execution arguments of Tiny SHell\r\nFigure 2. Comparison between Tiny SHell and Rekoobe\r\nBoth Tiny SHell and Rekoobe utilize the HMAC SHA1 algorithm to generate an AES-128 key. This key is then used to\r\nencrypt the communication data with the C\u0026C server. The following is a brief summary of the communication process with\r\nthe C\u0026C server.\r\nA. C\u0026C -\u003e Client: HMAC SHA1 generation\r\nFirst, a 0x28-sized data packet is received from the C\u0026C server. This packet is divided into two 0x14-byte segments, which\r\nare used as the IV during the initialization of the HMAC SHA1 context. In addition, aside from the two 0x14-byte IVs that\r\nare transmitted during the initialization process, a hard-coded password string, “0p;/9ol.”, is also used.\r\nFigure 3. Hard-coded password used in key generation\r\nThe generated HMAC SHA1 values serve as the AES-128 key. This key is used for encrypting data when sending it to the\r\nC\u0026C server and decrypting data received from the C\u0026C server.\r\nB. C\u0026C -\u003e REKOOBE: Integrity data\r\nNext, 0x10-byte data is transmitted from the C\u0026C server for integrity verification purposes. Rekoobe decodes this received\r\ndata using the previously set AES-128 key and performs an additional XOR operation. This process allows the malware to\r\nobtain the size of the subsequent data it will receive. The subsequently transmitted data is used for integrity verification. It is\r\n0x10 bytes and should have the same value as the one shown below. Additionally, these values are the same as those\r\ndesignated in the Tiny SHell source code.\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 2 of 6\n\nFigure 4. Data used for the integrity check\r\nC. REKOOBE -\u003e C\u0026C: Integrity data\r\nOnce the integrity verification process is complete, the malware reverses the process and sends the C\u0026C server a 0x10-byte\r\ndata segment containing the same integrity data. When sending the data, it is also encrypted using the AES-128 key\r\ngenerated earlier from the HMAC SHA1 value.\r\nFigure 5. Integrity data being sent to the C\u0026C server\r\nD. C\u0026C -\u003e REKOOBE: C\u0026C command\r\nE. C\u0026C -\u003e REKOOBE: Additional data for each command\r\nOnce the previous steps are completed, a 1-byte command is received from the C\u0026C server. Depending on the value of this\r\n1 byte, three different commands can be performed: file upload, file download, or reverse shell execution.\r\nCommand Number Command Type\r\n1 Upload file\r\n2 Download file\r\n3 Reverse shell\r\nTable 2. C\u0026C commands\r\nFigure 6. Routine to connect to the C\u0026C server and execute commands\r\nNot only are there only three commands, but the structure of each command is simple as well. For example, when receiving\r\na file download command (0x02), the next packet received contains the path where the downloaded file should be written.\r\nThe process only involves creating a file in the specified path and writing the actual file data into it. The reverse shell\r\ncommand also has a simple format of redirecting the standard input and output to the socket connected to the C\u0026C server\r\nand executing /bin/sh.\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 3 of 6\n\nFigure 7. Reverse shell command\r\n3. Rekoobe Types\r\nAlthough the analysis so far has focused on one particular sample, it is worth noting that Rekoobe is still being detected in\r\nnumerous recent samples. The similarities, differences, and characteristics of recently collected Rekoobe samples will be\r\ncovered in this segment. The basic structure of using an HMAC SHA1-based AES128 encryption algorithm for\r\ncommunication with the C\u0026C server and the support for features such as file download/upload and reverse shell remain\r\nconsistent.\r\nThe major difference is the method of communication with the C\u0026C server. The Rekoobe variant discussed above initially\r\nconnects to a hard-coded C\u0026C server, but there are also variants that open ports and await connection from the C\u0026C server\r\nin a bind shell form. This is possible because Tiny SHell supports both methods.\r\nFigure 8. C\u0026C communication in the form of bind shell\r\nRekoobe is suspected to have a separate builder tool. One of the reasons for this assumption is the frequent appearance of\r\nmalware that uses the default string “replace with your password” instead of random password strings like the one covered\r\nabove. Therefore, it is believed that each malware is generated by a builder tool with the threat actor specifying a password\r\nfor each attack. Unlike the passwords that use a different string every time, the data used for integrity verification contrarily\r\nuses the same “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” like most other source codes.\r\n4. Rekoobe Malware Used in Attacks Targeting Korea\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 4 of 6\n\nThe following are Rekoobe malware samples used in attacks targeting systems in Korea. Given that all the samples are\r\nbased on the x64 architecture and in the form of reverse shell, it suggests that they were targeting Linux servers. The “mails”\r\nand “service” samples were collected during a relatively similar time frame, and based on the almost identical passwords\r\nspecified by the threat actor, it is presumed that they were used by the same threat actor.\r\nName Architecture\r\nC\u0026C\r\nCommunication\r\nType\r\nC\u0026C URL\r\nProcess Name\r\nChange\r\nPassword\r\njava x64 Reverse 139.162.116[.]218:18120 “/bin/bash” “uiuizhihuowienjkn8891231.,@\r\nrmicd(123) x64 Reverse 172.105.200[.]233:3661 “[kondemand/23]” “replaceadsfCSDFwithxdfyoas\r\nmails x64 Reverse resolv.ctmailer[.]net:80 “/bin/bash” “0p;/9ol.”\r\nservice x64 Reverse www[.]jxedunavi[.]com:443 “/bin/bash” “0p;/0p;/”\r\nTable 3. Rekoobe malware samples used in attacks\r\n5. Conclusion\r\nRekoobe is a backdoor that can receive commands from a C\u0026C server to perform various features such as downloading\r\nmalicious files, stealing internal files from a system, and executing reverse shell. While it may appear simple in structure, it\r\nemploys encryption to evade network packet detection and can perform a variety of malicious behaviors through commands\r\nfrom the threat actor.\r\nBeing based on an open-source code, Rekoobe can be used by other threat actors aside from the already identified Chinese\r\nthreat group APT31. It continues to be used in attacks targeting Linux servers, and cases of attacks against Korean systems\r\nare still being observed as well.\r\nTo mitigate such security threats, it is crucial to examine vulnerable configuration settings and authentication credentials.\r\nKeeping relevant systems up to date with the latest versions is also vital to protect against attacks of this nature. Also, V3\r\nshould be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Backdoor/Linux.Rekoob.52072 (2020.04.07.08)\r\n– Trojan/Linux.Rekoobe.XE141 (2020.08.01.00)\r\nMD5\r\n03a87253a8fac6d91d19ea3b47e2ca6c\r\n5f2e72ff741c4544f66fec16101aeaf0\r\n7851833a0cc3482993aac2692ff41635\r\n8921942fb40a4d417700cfe37cce1ce7\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//139[.]162[.]116[.]218[:]18120/\r\nhttp[:]//172[.]105[.]200[.]233[:]3661/\r\nhttp[:]//resolv[.]ctmailer[.]net/\r\nhttps[:]//www[.]jxedunavi[.]com/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/55229/\r\nhttps://asec.ahnlab.com/en/55229/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/55229/"
	],
	"report_names": [
		"55229"
	],
	"threat_actors": [
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433980,
	"ts_updated_at": 1775792146,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/646dfe781f28f84423f86961fcd6b99a63dbdd37.pdf",
		"text": "https://archive.orkl.eu/646dfe781f28f84423f86961fcd6b99a63dbdd37.txt",
		"img": "https://archive.orkl.eu/646dfe781f28f84423f86961fcd6b99a63dbdd37.jpg"
	}
}