In recent news, APT31 has employed the Rekoobe backdoor to target TradingView, a popular financial platform. Researchers discovered malicious domains posing as TradingView, indicating a potential interest in compromising the platform’s user community. This observation sheds light on the evolving tactics of APT31 to evade detection and access sensitive information.

An open directory located at 27.124.45[.]146:9998 revealed the presence of two Rekoobe malware binaries, namely 10-13-x64.bin and 10-13-x86.bin. Both binaries attempted to establish communication with the same IP address on port 12345. The x64 binary, na.elf, exhibited behavior similar to NoodRAT/Noodle RAT, suggesting potential attribution but requiring further analysis for confirmation.

Furthermore, investigations into backdoor files exposed typosquatting domains that mirrored the legitimate TradingView website but contained additional “l”s, increasing the risk of users inadvertently visiting these fake sites. Although no active webpages were discovered, the Wayback Machine indicated a 404 error for these domains in September 2024, hinting at a possible attempt to exploit financial platforms with Linux-based user bases.

The existence of these suspicious domains alongside the Rekoobe backdoor suggests a potential infrastructure overlap aimed at targeting financial institutions. Three IP addresses (27.124.45[.]231, 1.32.253[.]2, and 27.124.45[.]211) were associated with 27.124.45[.]146 through shared SSH keys, indicating a coordinated operational setup. These IPs, hosted in Hong Kong, exhibited similar characteristics and shared open directories with identical software versions and Rekoobe-detected files.

According to Hunt, 27.124.45[.]211 also hosts Yakit, a cybersecurity tool that could be misused for malicious purposes. The presence of such tools within the shared infrastructure underscores the need for further investigation to assess potential risks. The discovery of the Rekoobe backdoor in an open directory unveiled a broader malicious infrastructure, including fake domains resembling TradingView and interconnected servers linked through shared SSH keys.

Key network observables such as IP addresses, ASNs, domains, host countries, and file hashes play a crucial role in identifying coordinated malicious activities. The specific IP address 27.124.45.146 served as the host for malicious files and shared SSH keys with other IPs, indicating potential coordinated actions by threat actors.

Overall, the intricate web of malicious activities orchestrated by APT31 using the Rekoobe backdoor against TradingView underscores the importance of vigilance and proactive cybersecurity measures to safeguard sensitive financial information and protect user communities from such threats. The collaboration between researchers and cybersecurity experts will continue to play a vital role in combating sophisticated cyber threats targeting critical financial infrastructure.

Source link