Linux Systems Under Attack By New RedXOR Malware
Reading Time: 1 Minute
Researchers say the new RedXOR backdoor is targeting Linux systems with various data exfiltration and network traffic tunneling capabilities.
Researchers have discovered a new backdoor targeting Linux systems, which they link back to the Winnti threat group.
The backdoor is called RedXOR – in part because its network data-encoding scheme is based on the XOR encryption algorithm, and in part because its samples were found on an old release of the Red Hat Enterprise Linux platform. The latter fact provides a clue that RedXOR is utilized in targeted attacks against legacy Linux systems, noted researchers.
The malware has various malicious capabilities, said researchers – from exfiltrating data to tunneling network traffic to another destination.
“The initial compromise in this campaign is not known but some common entry points to Linux environments are: Use of compromised credentials or by exploiting a vulnerability or misconfiguration,” Avigayil Mechtinger, security researcher with Intezer, told Threatpost. “It is also possible the initial compromise was via a different endpoint, meaning the threat actor laterally moved to a Linux machine where this malware was deployed.”
The samples were detected after being uploaded to VirusTotal from two different sources in Indonesia and Taiwan. Researchers told Threatpost that based on this, it is likely that at least two entities have discovered the malware in their environment.
RedXOR Malware: Cybersecurity Threat
After execution, RedXOR creates a hidden folder (called “.po1kitd.thumb”) inside a home folder, which is then utilized to store files related to the malware. Then, it creates a hidden file (“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to the hidden folder (called “.po1kitd-update-k”), and sets up persistence via “init” scripts.
“The malware stores the configuration encrypted within the binary,” said researchers, in a Wednesday analysis. “In addition to the command-and-control (C2) IP address and port, it can also be configured to use a proxy. The configuration includes a password… This password is used by the malware to authenticate to the C2 server.”
After establishing this configuration, the malware then communicates with the C2 server over a TCP socket, and can execute various different commands (via a command code). These commands include: uploading, removing or opening files, executing shell commands, tunneling network traffic and writing content to files.
See Also: Offensive Security Tool: Sparta
See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card numbers
Malware Authors Eye Linux Systems
Researchers said that 2020 saw a 40-percent increase in new Linux malware families – a new record at 56 malware strains. Beyond Winnti, threat actors like APT28, APT29 and Carbanak are developing Linux versions of their traditional malware, they said.
“Linux systems are under constant attack given that Linux runs on most of the public cloud workload,” said Intezer researchers. “A survey conducted by Sophos found that 70 percent of organizations using the public cloud to host data or workloads experienced a security incident in the past year.”
Source: https://threatpost.com
(Click Link)