New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9

Background

On July 27, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected an ELF file named pskt from IP address 45.92.156.166. Currently undetected on VirusTotal, the file triggered two alerts: an Overlay section and a communication domain mimicking Microsoft. Our analysis identified it as a Melofee backdoor variant, specifically targeting Red Hat Enterprise Linux (RHEL) 7.9.

Melofee, a C++ backdoor, enables data collection, process management, file handling, and shell access. Originally exposed by ExaTrack in March 2023 and attributed to the APT group Winnti, this latest variant has notable upgrades. Structurally, it embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network connections. Functionally, it adds improvements in persistence, single-instance control, and function ID design.

By examining the sample's Run-Time Type Information (RTTI), we observed source-level modifications. For instance, the network connection class name has changed from TLSSocket in earlier samples to TlsConn in this variant, suggesting ongoing reconstruction and use of Melofee beyond the security community's radar.

Notably, during our investigation, we encountered an intriguing misattribution. The new variant utilizes the C2 address filemanage.micrsofts-file.com. According to Passive DNS (PDNS) records, this C2's second-level domain, micrsofts-file.com and its associated domain, www.micrsofts-file.com resolved to IP address 91.195.240.123 between November 2023 and June 2024. This IP also appeared in BlackBerry's July 2024 report on the APT group SideWinder and has been flagged as malicious by several security vendors on VirusTotal. Does this imply that Melofee has circulated among multiple organizations, becoming a cross-group tool rather than being exclusive to a single group?

We believe this is unlikely. The IP address 91.195.240.123 is a parking IP provided by domain registrar NameSilo. Labeling it as malicious likely constitutes a false positive. NameSilo automatically resolves new registered second-level domains and "www" subdomains to this IP, leading to potential misattributions, as legitimate domains, unrelated malicious domains, and APT activities may all share this IP.

Due to limited visibility, we currently lack details on the attacker’s entry methods and goals. We invite others to share insights to enrich the technical landscape. Given the low detection rate of this sample and Melofee’s stealth, we’re sharing these findings with the community for broader cybersecurity awareness.

This report covers:

  • Overlay structure and decryption method
  • Driver module’s functionalities
  • Melofee’s capabilities

Technical Details

We have captured a single sample with the following details:

MD5: 603e38a59efcf6790f2b4593edb9faf5
Magic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=48bcb3f7c78bc746e25264058a76145b63bbf440, for GNU/Linux 3.2.0, stripped

This variant operates in two modes based on launch parameters: Infection Mode and Management Mode.

  • Infection Mode (No Parameters)
    When launched without parameters, Melofee enters Infection Mode, performing the following:

    • Enforces single instance via /tmp/lock_tmp1
    • Achieves persistence via crontab, disguising the process name as [md] or wwwwww
    • Decrypts and installs a driver module for stealth across files, processes, network connections, and directories
    • Decrypts and connects to its C2 server, awaiting commands
  • Management Mode (With Parameters)
    When launched with parameters, Melofee enters Management Mode, controlling driver hiding functionality:

    • hide: Activates hiding features
    • show: Deactivates hiding
    • kill: Terminates the process

This design enables flexible operation across infection and management needs. The next sections will cover Melofee’s decryption, driver module, and backdoor functions in detail.

Part 1: Decryption

Melofee stores its RC4-encrypted driver module as an overlay appended to the file’s end, using a structure called drv_overlay:

struct drv_overlay {
    int encrypted_payload[payload_size];
    int payload_size;
    char flag[12];
}

In this sample, the flag is set to "EV#?YLFAkoip" and payload_size is 0x6a08. The encrypted_payload spans 0x6a08 bytes backward from payload_size.

klove_overlay.png

Using the key 87JoENDi, the encrypted_payload is decrypted to reveal the driver module kworkerx, designed for RHEL 7.9 with kernel version 3.10.0.

klove_mod.png

The C2 configuration is also RC4-encrypted, using the same key 87JoENDi.

Encrypted C2 Data:

00000000  a2 a4 96 0e 27 ee 40 54 a5 3a 52 8e 65 cf b1 e1  |¢¤..'î@T¥:R.eϱá|
00000010  29 69 32 86 ae 56 4d 28 a2 b8 da 6e e1 05 5d 65  |)i2.®VM(¢¸Úná.]e|
00000020  fc 86 88 50 43 17                                |ü..PC.|

Decrypted C2 Configuration:

0:filemanage.micrsofts-file.com:443:60

This configuration includes the following elements:

  • Connection Type
  • C2 Domain
  • C2 Port
  • Interval

Part 2: Driver Module Analysis

The decrypted driver module, kworkerx, has the following basic information:

MD5: 839f60efee25f07df7b23ba9d6bef892
Magic: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=c440028449ebce5c899a51ef0eb4d7fc43493253, not stripped

Through analysis, we confirmed that kworkerx is a modified version of the open-source project Reptile. The original Reptile project supports 12 functions, categorized into two main types: hiding and backdoor capabilities. kworkerx primarily utilizes the hiding functions.

klove_feature.png

Hiding Mechanisms in kworkerx

  • Network Communication Hiding: kworkerx hooks the tcp4_seq_show function within its initialization routine, effectively hiding all network traffic on port 443.
  • File, Process, and Directory Hiding: To conceal files, processes, and directories, kworkerx hooks several functions, including fillonedir, filldir, filldir64, and vfs_read.

Communication with User Space

kworkerx also hooks the inet_ioctl function to facilitate communication with user-space applications and receive control commands.

klove_ioctl.png

When a user-space application calls the ioctl function with the second parameter set to 0xE0E0E0E, it triggers the handler function khook_inet_ioctl in kworkerx. Within this function, kworkerx interprets the third parameter to either enable or disable specific hiding functions, providing fine-grained control over its concealment capabilities.

Arg.cmd Capability
0 show all
1 hide all
2 hide proc
3 show proc
5 file tampering
7 hide file,dir
8 unhide_chdir
9 hide_chdir

Part 3: Melofee Analysis

After installing the kworkerx kernel driver module via the init_module function, Melofee enables TCP connection hiding by default. Additional hiding features, such as process, directory, and persistence concealment, are activated through control commands sent via IOCTL.

klove_hide.png

When executed without parameters in a virtual machine, Melofee successfully concealed its process, the sample file, the persistence script, and network connections. Running the sample again with the show parameter revealed the process, sample file, and persistence script, while the network connection remained hidden. Finally, using the rmmod command to unload the kworkerx module restored visibility to the previously hidden network connection.

klove_vm.png

After installing the driver module, Melofee decrypts the C2 configuration and establishes communication, waiting to receive and execute commands. The functionality of this sample aligns with the description provided in the ExaTrack analysis report, though there are differences in function IDs.

CMD ID Capability
0x11 uninstall
0x22 collect device info
0x33 launch new command thread
0x34 write file
0x35 read file
0x36 create new socket
0x37 list directory
0x38 create directory
0x3a delete directory
0x3b create process to exec cmd
0x3c exec command with output (including set new c2 ip)
0x3d collect process info
0x3e kill process
0x3f launch shell
0x7b ping back

Summary

Melofee offers straightforward functionality with highly effective stealth capabilities. Samples of this malware family are rare, suggesting that attackers may limit its use to high-value targets. Network administrators can check for infection by looking for artifacts like the /tmp/lock_tmp1 file and the kworkerx module. If signs of infection are detected, follow the previous steps to remove associated drivers, processes, files, and persistence mechanisms.

We welcome readers to share additional insights and intelligence. If you’re interested in our research, feel free to reach out to us via Platform X.

IOC

MD5

603e38a59efcf6790f2b4593edb9faf5 *pskt
839f60efee25f07df7b23ba9d6bef892 *kworkerx

C2

filemanage.micrsofts-file[.]com:443

Downloader

http://45.92.156[.]166/klove/pskt