{
	"id": "06133893-107a-4777-a585-e5f2fe9f90dc",
	"created_at": "2026-04-06T00:06:53.473535Z",
	"updated_at": "2026-04-10T03:21:46.463905Z",
	"deleted_at": null,
	"sha1_hash": "cc1c9fd645b8ac1b1f9da320efd770fb69af9bae",
	"title": "Linux.Rekoobe.1 — Dr.Web Malware description library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56156,
	"plain_text": "Linux.Rekoobe.1 — Dr.Web Malware description library\r\nPublished: 2015-12-03 · Archived: 2026-04-05 18:09:24 UTC\r\nSHA1\r\na11bda0acdb98972b3dec706d35f7fba59587f99 (SPARC)\r\n04f691e12af2818015a8ef68c6e80472ae404fec (SPARC)\r\n466d045c3db7c48b78c6bb95873b817161a96370 (SPARC)\r\ncd274e6b73042856e9eec98d258a96cfbe637f6f (Intel x86)\r\n8e93cfbaaf7538f8965080d192df712988ccfc54 (Intel x86-64)\r\nA Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers.\r\nThe Trojan’s configuration data is stored in a file encrypted with XOR algorithm. The directory of the file may be\r\nthe following:\r\n/usr/lib/liboop-trl.so.0.0.0\r\n/usr/lib/libhistory.so.5.7\r\n/usr/lib/libsagented.so.1\r\n/usr/lib/libXcurl\r\n/usr/lib/llib-llgrpc\r\nThe file has the following structure:\r\nSECRET value\r\nMAGIC value\r\nPROXYHOST value\r\nPROXYPORT value\r\nUSERNAME value\r\nPASSWORD value\r\nENDPOINT value\r\nSERVER_PORT value\r\nCONNECT_BACK_DELAY value\r\nInstead of the “value” variable, it contains the value of the corresponding parameter. Once data from the\r\nconfiguration file is received successfully, the Trojan refers to the C\u0026C server for commands with an interval\r\nspecified by the CONNECT_BACK_DELAY parameter. The address of the server is specified by the ENDPOINT\r\nparameter. If a value of the PROXYHOST parameter is not “none”, connection to the server is established via a\r\nproxy server, authorization data for which is also extracted from the configuration file.\r\nThe connection to the C\u0026C server begins with sending of the MAGIC parameter from the configuration file and\r\nreception of a 40-byte response. Then 40 bytes are split into two blocks, which are used for AES context\r\nhttps://vms.drweb.com/virus/?i=7754026\u0026lng=en\r\nPage 1 of 4\n\ninitialization: one block is for the received data, and the other, for the sent one:\r\nint__cdecl AES_Init(st_aes_ctx *aes_ctx,char*data,char*salt)\r\n{\r\n ...\r\n if ( RecvPacket(fd, buffer, 40, 0) != 1 )\r\n gotoerr_occured;\r\n *(_DWORD *)dec_salt = *(_DWORD *)buffer;\r\n *(_DWORD *)\u0026dec_salt[4] = *(_DWORD *)\u0026buffer[4];\r\n *(_DWORD *)\u0026dec_salt[8] = *(_DWORD *)\u0026buffer[8];\r\n *(_DWORD *)\u0026dec_salt[12] = *(_DWORD *)\u0026buffer[12];\r\n *(_DWORD *)\u0026dec_salt[16] = *(_DWORD *)\u0026buffer[16];\r\n *(_DWORD *)enc_salt = *(_DWORD *)\u0026buffer[20];\r\n *(_DWORD *)\u0026enc_salt[4] = *(_DWORD *)\u0026buffer[24];\r\n *(_DWORD *)\u0026enc_salt[8] = *(_DWORD *)\u0026buffer[28];\r\n *(_DWORD *)\u0026enc_salt[12] = *(_DWORD *)\u0026buffer[32];\r\n *(_DWORD *)\u0026enc_salt[16] = *(_DWORD *)\u0026buffer[36];\r\n AES_Init(\u0026aes_ctx_encrypt, secret, enc_salt);\r\n AES_Init(\u0026aes_ctx_decrypt, secret, dec_salt);\r\n ...\r\n}\r\nwhere the AES_Init function generates an encryption key based on the SHA1 value from the “secret” parameter\r\nand the sent enc_salt or dec_salt block:\r\nint__cdecl AES_Init(st_aes_ctx *aes_ctx,char*data,char*salt)\r\n{\r\n ...\r\n sha1_init(\u0026ctx);\r\n sha1_update(\u0026ctx, data,strlen(data));\r\n sha1_update(\u0026ctx, salt, 0x14u);\r\n sha1_final(\u0026ctx, hash);\r\n AES_InitKey(aes_ctx, hash, 128);\r\n ...\r\n}\r\nThe AES_Init function for every AES context also creates two special 40-byte blocks which are later used as a\r\nsignature. For that, 40 bytes with 0x36 value are added to the verify_1 array, and 40 bytes with 0x5C value are\r\nadded to the verify_2 array. Then the first 20 bytes of every array are encrypted with XOR algorithm containing\r\nthe corresponding 20 bytes of the AES key.\r\nAll the later information transmitted either side during the established connection will be sent as specifically\r\nformed packages.\r\nhttps://vms.drweb.com/virus/?i=7754026\u0026lng=en\r\nPage 2 of 4\n\nThe first received package contains 16-byte identifier. The Trojan compares it with an identifier already stored in\r\nits body. If the match is found, the malware sends verification to the server.\r\nOnce the connection to the C\u0026C server is established, the Trojan attempts to get a command from the server.\r\nUpon receiving a command number, the first two bytes are ignored, and the third one stands for a command\r\nidentifier.\r\nDuring the reception of a package from the server, the malware acquires 16 bytes, which are encrypted in AES-CBC-128 mode. The first WORD (MSB) of the received buffer is the size of the next data block (the size\r\nparameter).\r\nAfter this, the Trojan calculates the package size by the “packetsize = size + 2 bytes + alignment” formula and\r\nreceives the data of packetsize + 4 bytes size in the same buffer using offset of 0x10 bytes from its beginning. The\r\nlast 20 bytes are the signature.\r\nIn order to verify the signature, the modification of its first DWORD is as follows: the first three bytes are\r\nreplaced with zeros, and the forth one contains the package number (the Trojan records the amount of the received\r\nand sent packages in the corresponding AES contexts). Then the buffer that received the data and where DWORD\r\nwas modified is used for generating of SHA1 hash (buffer is specified as “buffer”):\r\n...\r\nsha1_init(\u0026sha1_ctx);\r\nsha1_update(\u0026sha1_ctx, aes_ctx_decrypt.verify_1, 0x40u);\r\nsha1_update(\u0026sha1_ctx, buffer, size + 4);\r\nsha1_final(\u0026sha1_ctx, \u0026hash);\r\nsha1_init(\u0026sha1_ctx);\r\nsha1_update(\u0026sha1_ctx, aes_ctx_decrypt.verify_2, 0x40u);\r\nsha1_update(\u0026sha1_ctx, \u0026hash, 0x14u);\r\nsha1_final(\u0026sha1_ctx, \u0026hash);\r\n...\r\nIt should be noted that only a payload and a DWORD value that contains the package number are hashed. 4\r\nDWORDs of the signature are not included in the hashed data.\r\nThe first 20 bytes of the received hash are compared with a package signature. If the match is found, the package\r\nis decrypted. If not, it is considered invalid.\r\nSending of the package to the server is performed in the same way.\r\nThe Trojan can execute three commands:\r\nReverse Shell (cmd == 0x03)\r\nDownload a file (cmd == 0x02)\r\nUpload a file to the command and control server (cmd == 0x01)\r\nNews about the Trojan\r\nhttps://vms.drweb.com/virus/?i=7754026\u0026lng=en\r\nPage 3 of 4\n\nSource: https://vms.drweb.com/virus/?i=7754026\u0026lng=en\r\nhttps://vms.drweb.com/virus/?i=7754026\u0026lng=en\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://vms.drweb.com/virus/?i=7754026\u0026lng=en"
	],
	"report_names": [
		"?i=7754026\u0026lng=en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc1c9fd645b8ac1b1f9da320efd770fb69af9bae.pdf",
		"text": "https://archive.orkl.eu/cc1c9fd645b8ac1b1f9da320efd770fb69af9bae.txt",
		"img": "https://archive.orkl.eu/cc1c9fd645b8ac1b1f9da320efd770fb69af9bae.jpg"
	}
}