Researchers say the new RedXOR backdoor is targeting Linux systems with various data exfiltration & network traffic tunnelling capabilities.
Researchers have discovered the new backdoor targeting Linux systems, which they link to the Winnti threat group.
The backdoor is called RedXOR – in part because its network data-encoding scheme is based on the XOR encryption algorithm, & in part because its samples were found on an old release of the Red Hat Enterprise Linux platform. The latter fact provides a clue that RedXOR is utilised in targeted attacks against legacy Linux systems, outlined researchers.
Malicious Capabilities
The malware has various malicious capabilities, commented researchers – from exfiltrating data to tunnelling network traffic to another destination.
“The initial compromise in this campaign is not known but some common entry points to Linux environments are: Use of compromised credentials or by exploiting a vulnerability or misconfiguration,” explained Avigayil Mechtinger, Security Researcher with Intezer.
Endpoint
“It is also possible the initial compromise was via a different endpoint, meaning the threat player laterally moved to a Linux machine where this malware was deployed.”
The samples were found after being uploaded to VirusTotal from 2 different sources in Indonesia & Taiwan. Researchers explained that based on this, it is likely that at least 2 entities have discovered the malware in their environment.
Cyber-security Threat
After execution, RedXOR creates a hidden folder (called “.po1kitd.thumb”) inside a home folder, which is then utilised to store files related to the malware. Then, it creates a hidden file (“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to the hidden folder (called “.po1kitd-update-k”) & sets up persistence via “init” scripts.
“The malware stores the configuration encrypted within the binary,” stated researchers, in a Wed. analysis. “In addition to the command-and-control (C2) IP address & port, it can also be configured to use a proxy. The configuration includes a password… This password is used by the malware to authenticate to the C2 server.”
After establishing this configuration, the malware then communicates with the C2 server over a TCP socket, & can execute various different commands (via a command code). These commands include uploading, removing, or opening files, executing shell commands, tunnelling network traffic & writing content to files.
Chinese Connection
Researchers said they found “key similarities” between RedXOR & other previously reported malware that is associated with Winnti: the PWNLNX backdoor, the XOR.DDOS botnet and the Groundhog botnet. The Winnti threat group (a.k.a. APT41, Barium, Wicked Panda or Wicked Spider) is known for nation-state-backed cyber-espionage activity as well as financial cybercrime.
Kernel Rootkits
These similarities include the use of open-source kernel rootkits (used for hiding their processes); the function name CheckLKM being used; network encoding with XOR; and various similarities in the main functions flow.
Also, “the overall code flow, behaviour & capabilities of RedXOR are very similar to PWNLNX,” said researchers. “Both have file uploading and downloading functionalities together with a running shell. The network-tunnelling functionality in both families is called ‘PortMap.’”
Linux Systems
Researchers said that 2020 saw a 40% increase in new Linux malware families – a new record at 56 malware strains. Beyond Winnti, threat players such as APT28, APT29 & Carbanak are developing Linux versions of their traditional malware, they commented.
“Linux systems are under constant attack given that Linux runs on most of the public cloud workload,” observed Intezer researchers. “A survey conducted by Sophos found that 70% of organisations using the public cloud to host data or workloads experienced a security incident in the past year.”
https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/
