Rekoobe Backdoor and Typosquatting Domains: A Potential Threat to TradingView Users
In a recent cybersecurity discovery, Hunt.io’s Threat Hunting Platform unveiled a new Rekoobe backdoor, this time found lurking in open directories and possibly designed to target unsuspecting TradingView users. Known for its history with APT31, or Zirconium, Rekoobe has resurfaced, showing signs of sophisticated encryption and customized command-and-control protocols aimed at evading detection.
While analyzing open directories, Hunt.io’s researchers stumbled upon two Rekoobe malware samples at an open directory server: 27.124.45[.]146:9998. “Both files were identified as Rekoobe by Hatching Triage,” the report noted, “which exposed two binaries: 10-13-x64.bin and 10-13×86.bin.” This naming convention matches Rekoobe’s past behavior, using file names based on the format of month-day-architecture, which has been typical in the APT31 playbook.
Interestingly, both binaries tried to establish a connection to the very server where they were hosted, specifically reaching out to port 12345. The malware’s behavior bore a resemblance to patterns identified in other RATs, such as “NoodRAT” and “Noodle RAT,” where files altered their process names and replicated within the /tmp/CCCCCCCC directory. However, Hunt.io’s report cautioned, “The similarities in behavior could indicate the work of a copycat, but additional analysis would be required to make a conclusive attribution.”
Further investigation revealed the registration of domains closely resembling the legitimate TradingView website, such as “tradingviewlll[.]com” and “admin.tradingviewll[.].com.” The report highlights the deceptive nature of these domains: “These minor changes, such as the addition of an extra ‘I’ in tradingviewll[.]com and tradingviewlll[.]com, could easily be missed by users, making them practical for phishing or other social engineering operations.” This technique, known as typosquatting, is commonly employed to deceive users into divulging sensitive information or downloading malware.
Researchers also identified a network of servers linked by shared SSH keys. One of these servers mirrored the original open directory, containing the same Rekoobe samples and, notably, the Yakit Security Tool. While Yakit is a legitimate cybersecurity tool used for penetration testing and security research, its presence within this network raises questions about its potential misuse in this particular context.
Despite the absence of active content on the typosquatting domains at the time of the investigation, the combined presence of the Rekoobe backdoor, the deceptive domains, and the interconnected servers strongly suggests a concerted effort potentially targeting TradingView users and their financial assets.
Users are urged to exercise caution, verify website addresses before entering credentials, remain wary of unsolicited communications, and maintain updated software and security measures to mitigate the risks posed by such threats.