REPTILE

Description

(Mandiant) To achieve persistent access on the FortiManager device, the threat actor deployed a backdoor with the filename /bin/klogd (MD5: 53a69adac914808eced2bf8155a7512d) that Mandiant refers to as REPTILE, a variant of a publicly available Linux kernel module (LKM) rootkit. With the assistance of TABLEFLIP, the threat actor was able to successfully forward traffic and access the REPTILE backdoor using iptables traffic redirection rules.

Once executed, REPTILE created a packet socket to receive OSI layer 2 packets. When a packet was received, the backdoor would perform the check seen in the pseudocode in Figure 20 to determine if a magic string was present.

Names

Name
REPTILE

Type

Backdoor

Information

https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile

Other Information

Uuid

e6153a12-1a8f-4727-8c7d-dfe7ea45cc67

Last Card Change

2024-08-27

Threat Intelligence Garden

Explorer

REPTILE

REPTILE

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks