Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
Tags
Common Information
| Type | Value |
|---|---|
| UUID | c712afba-ce62-42e0-9d77-fb07eb918d2d |
| Fingerprint | 9e90961b2cfb3d9d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 28, 2023, midnight |
| Added to db | June 1, 2023, 10:51 a.m. |
| Last updated | Nov. 17, 2024, 6:56 p.m. |
| Headline | Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts |
| Title | Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts |
| Detected Hints/Tags/Attributes | 137/4/118 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://blog.exatrack.com/melofee/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | www.data-yuzefuji.com |
|
| Details | Domain | 1 | git1ab.com |
|
| Details | Domain | 1 | cloudf1are.com |
|
| Details | Domain | 1 | dev.yuanta.dev |
|
| Details | Domain | 1 | dgbyem.com |
|
| Details | Domain | 1 | update.ankining.com |
|
| Details | Domain | 1 | ssm.awszonwork.com |
|
| Details | Domain | 1 | stock.awszonwork.com |
|
| Details | Domain | 1 | help.git1ab.com |
|
| Details | Domain | 1 | about.git1ab.com |
|
| Details | Domain | 1 | www.git1ab.com |
|
| Details | Domain | 1 | cdn.cloudf1are.com |
|
| Details | Domain | 1 | cdn2.cloudf1are.com |
|
| Details | Domain | 1 | cdn3.cloudf1are.com |
|
| Details | Domain | 1 | cdn4.cloudf1are.com |
|
| Details | Domain | 1 | dns.cloudf1are.com |
|
| Details | Domain | 1 | dns2.cloudf1are.com |
|
| Details | Domain | 1 | test.yuanta.dev |
|
| Details | Domain | 1 | us.securitycloud-symantec.icu |
|
| Details | Domain | 2 | vt.livehost.live |
|
| Details | Domain | 35 | blackhat.com |
|
| Details | Domain | 60 | documents.trendmicro.com |
|
| Details | Domain | 434 | medium.com |
|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 30 | blog.csdn.net |
|
| Details | File | 15 | a.dat |
|
| Details | File | 104 | www.dat |
|
| Details | File | 1 | socksmanager.cpp |
|
| Details | File | 1 | as-22-leonsilvia-nextgenplugxshadowpad.pdf |
|
| Details | File | 3 | wp-operation-earth-berberoka.pdf |
|
| Details | File | 32 | blog.cs |
|
| Details | sha256 | 1 | 3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3d |
|
| Details | sha256 | 1 | 758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0 |
|
| Details | sha256 | 1 | a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a |
|
| Details | sha256 | 1 | 2db4adf44b446cdd1989cbc139e67c068716fb76a460654791eef7a959627009 |
|
| Details | sha256 | 1 | 8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7 |
|
| Details | sha256 | 1 | f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68 |
|
| Details | sha256 | 1 | 330a61fa666001be55db9e6f286e29cce4af7f79c6ae267975c19605a2146a21 |
|
| Details | sha256 | 1 | 7149cdb130e1a52862168856eae01791cc3d9632287f990d90da0cce1dc7c6b9 |
|
| Details | sha256 | 1 | a62b67596640a3ebadd288e733f933ff581cc1822d6871351d82bd7472655bb5 |
|
| Details | sha256 | 1 | 3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88 |
|
| Details | sha256 | 1 | 2e62d6c47c00458da9338c990b095594eceb3994bf96812c329f8326041208e8 |
|
| Details | sha256 | 1 | 407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200f0462b8 |
|
| Details | sha256 | 1 | 187b6a4c6bc379c183657d8eafc225da53ab8f78ac192704b713cc202cf89a17 |
|
| Details | sha256 | 1 | 2801a3cc5aed8ecb391a9638a3c6f8db58ca3002e66f11bf88f8c7c2e5a6b009 |
|
| Details | sha256 | 1 | 6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2f517bc3aa745a0 |
|
| Details | sha256 | 1 | 7684e1dfaeb2e7c8fd1c9bd65041b705bc92a87d9e11e327309f6c21b5e7ad97 |
|
| Details | sha256 | 1 | 899ef7681982941b233e1ea3c1a6d5a4e90153bbb2809f70ee5f6fcece06cabc |
|
| Details | sha256 | 1 | c36ab5108491f4969512f4d35e0d42b3d371033c8ccf03e700c60fb98d5a95f8 |
|
| Details | sha256 | 1 | ad5bc6c4e653f88c451f6f6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8 |
|
| Details | sha256 | 1 | 1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9 |
|
| Details | sha256 | 1 | 22fd67457274635db7dd679782e002009363010db66523973b4748d5778b1a2a |
|
| Details | sha256 | 1 | 3c1842d29a3445bd3b85be486e49dba36b8b5ad55841c0ce00630cb83386881d |
|
| Details | sha256 | 2 | 5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743 |
|
| Details | sha256 | 1 | 378acfdbcec039cfe7287faac184adf6ad525b201cf781db9082b784c9c75c99 |
|
| Details | sha256 | 1 | 617f9add4c27f3bb91a32fee007cce01f5a51deaf42e75e6cec3e71afe2ba967 |
|
| Details | sha256 | 2 | 69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd |
|
| Details | sha256 | 1 | ad979716afbce85776251d51716aeb00665118fb350038d150c129256dd6fc5f |
|
| Details | sha256 | 1 | f49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3fb78749bdd281 |
|
| Details | sha256 | 1 | 2c1a6fe08c8cbdc904809be4c12b520888da7f33123d1656a268780a9be45e20 |
|
| Details | sha256 | 1 | a37661830859ca440d777af0bfa829b01d276bb1f81fe14b1485fa3c09f5f286 |
|
| Details | IPv4 | 1 | 173.209.62.186 |
|
| Details | IPv4 | 1 | 156.67.208.192 |
|
| Details | IPv4 | 1 | 5.61.57.80 |
|
| Details | IPv4 | 1 | 147.139.28.254 |
|
| Details | IPv4 | 1 | 173.209.62.187 |
|
| Details | IPv4 | 1 | 173.209.62.188 |
|
| Details | IPv4 | 1 | 173.209.62.189 |
|
| Details | IPv4 | 1 | 173.209.62.190 |
|
| Details | IPv4 | 1 | 167.172.73.202 |
|
| Details | IPv4 | 1 | 47.243.51.98 |
|
| Details | IPv4 | 1 | 185.145.128.90 |
|
| Details | IPv4 | 1 | 103.87.10.100 |
|
| Details | IPv4 | 1 | 202.182.101.174 |
|
| Details | IPv4 | 1 | 144.202.112.187 |
|
| Details | IPv4 | 1 | 38.54.30.39 |
|
| Details | IPv4 | 30 | 192.168.1.101 |
|
| Details | MITRE ATT&CK Techniques | 82 | T1583.001 |
|
| Details | MITRE ATT&CK Techniques | 1 | T5183.004 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 96 | T1587.001 |
|
| Details | MITRE ATT&CK Techniques | 10 | T1037.004 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1059.004 |
|
| Details | MITRE ATT&CK Techniques | 40 | T1132.002 |
|
| Details | MITRE ATT&CK Techniques | 130 | T1573.001 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 16 | T1592.002 |
|
| Details | MITRE ATT&CK Techniques | 94 | T1564.001 |
|
| Details | MITRE ATT&CK Techniques | 9 | T1562.003 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 1 | T1599.001 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1095 |
|
| Details | MITRE ATT&CK Techniques | 115 | T1571 |
|
| Details | MITRE ATT&CK Techniques | 160 | T1027.002 |
|
| Details | MITRE ATT&CK Techniques | 28 | T1027.007 |
|
| Details | MITRE ATT&CK Techniques | 42 | T1588.001 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1588.002 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 95 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1090 |
|
| Details | MITRE ATT&CK Techniques | 41 | T1014 |
|
| Details | MITRE ATT&CK Techniques | 49 | T1608.001 |
|
| Details | MITRE ATT&CK Techniques | 15 | T1608.002 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 57 | T1497.003 |
|
| Details | Threat Actor Identifier by Recorded Future | 18 | TAG-22 |
|
| Details | Url | 1 | http://173.209.62.186:8765/installer |
|
| Details | Url | 1 | http://173.209.62.186:8765/a.dat |
|
| Details | Url | 1 | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-kernel-modules-persistant |
|
| Details | Url | 1 | https://i.blackhat.com/asia-22/thursday-materials/as-22-leonsilvia-nextgenplugxshadowpad.pdf |
|
| Details | Url | 3 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new |
|
| Details | Url | 2 | https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf |
|
| Details | Url | 1 | https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a |
|
| Details | Url | 1 | https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan |
|
| Details | Url | 1 | https://blog.csdn.net/weixin_29100927/article/details/116577862 |
|
| Details | Yara rule | 1 | rule UNK_APT_MelofeeImplant {
meta:
author = "Exatrack"
date = "2023-03-03"
update = "2023-03-03"
description = "Detects the Melofee implant"
tlp = "CLEAR"
sample_hash = "a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a,f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68,8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7"
strings:
$str_melofee_implant_01 = "10PipeSocket"
$str_melofee_implant_02 = "ikcp_ack_push"
$str_melofee_implant_03 = "TLSSocketEE"
$str_melofee_implant_04 = "/tmp/%s.lock"
$str_melofee_implant_05 = "neosmart::WaitForMultipleEvents"
$str_melofee_implant_06 = "9TLSSocket"
$str_melofee_implant_07 = "7VServer"
$str_melofee_implant_08 = "N5boost6detail13sp_ms_deleterI13UdpSocketWrapEE"
$str_melofee_implant_09 = "UdpServerWrap"
$str_melofee_implant_10 = "KcpUpdater"
$str_melofee_implant_11 = "SelfForwardServer"
$str_command_parsing_01 = { 3? 01 00 05 00 ?? ?? ?? ?? 00 00 3? 01 00 05 00 ?? ?? 3? 05 00 04 00 }
$str_command_parsing_02 = { 3? 04 00 04 00 ?? ?? ?? ?? 00 00 3? 04 00 04 00 ?? ?? 3? 05 00 01 00 }
$str_command_parsing_03 = { 3? 01 00 07 00 ?? ?? ?? ?? 00 00 3? 01 00 09 00 ?? ?? ?? ?? ?? 00 3? 01 00 06 00 }
condition:
3 of them
} |
|
| Details | Yara rule | 1 | rule UNK_APT_Melofee_Installer {
meta:
author = "Exatrack"
date = "2023-03-15"
update = "2023-03-15"
description = "Detects the installer for melofee malware"
score = 80
tlp = "AMBER"
source = "Exatrack"
sample_hash = "758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0"
strings:
$str_melofee_installer_01 = "#Script for starting modules"
$str_melofee_installer_02 = "#End script"
$str_melofee_installer_03 = "/etc/intel_audio/"
$str_melofee_installer_04 = "rm -fr /etc/rc.modules"
$str_melofee_installer_05 = "-i <data file> Install"
$str_melofee_installer_06 = "cteate home folder failed"
$str_melofee_installer_07 = "create rootkit file failed"
$str_melofee_installer_08 = "create auto start file failed"
$str_melofee_installer_09 = "Remove Done!"
$str_melofee_installer_10 = "Unkown option %c\n"
condition:
any of them
} |
|
| Details | Yara rule | 1 | rule UNK_APT_Alien_Implant {
meta:
author = "Exatrack"
date = "2023-03-03"
update = "2023-03-03"
description = "Detects an unknown implant from AlienManager family, maybe related to melofee"
tlp = "CLEAR"
sample_hash = "3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88,"
strings:
$str_alien_01 = "[+] Connect %s Successed,Start Transfer..."
$str_alien_02 = "Alloc buffer to decrypt data error, length == %d."
$str_alien_03 = "pel_decrypt_msg data error, error"
$str_alien_04 = "encrypt data error, length == %d."
$str_alien_05 = "DoRecvOverlapInternal error!"
$str_alien_06 = "Socks Listen port is %d,Username is %s, password is %s"
$str_alien_07 = "Start port mapping error! remoteAddr=%s remotePort=%d localAddr=%s localPort=%d"
$str_alien_08 = "OnCmdSocksStart error!"
$str_alien_09 = "The master isn't readable!"
$str_alien_10 = "ConnectBypassSocks proxy:%s:%d error!"
$str_alien_11 = "ConnectBypassSocks to %s %d"
$str_alien_12 = "now datetime: %d-%d-%d %d:%d:%d"
$str_alien_13 = "Not during working hours! Disconnect!"
$str_alien_14 = "Example: ./AlienReverse --reverse-address=192.168.1.101:80 --reverse-password=123456"
$str_alien_15 = "Not during working hours! Disconnect!"
$str_alien_16 = "SocksManager.cpp"
$str_alien_17 = "connect() in app_connect"
$str_alien_18 = "They send us %hhX %hhX"
$str_alien_19 = "your input directory is not exist!"
$str_alien_20 = "Send data to local error ==> %d.\n"
condition:
any of them
} |