Cybersecurity researchers on Wednesday make clear a brand new subtle backdoor focusing on Linux endpoints and servers that is believed to be the work of Chinese language nation-state actors.
Dubbed “RedXOR” by Intezer, the backdoor masquerades as a polkit daemon, with similarities discovered between the malware and people beforehand related to the Winnti Umbrella (or Axiom) risk group similar to PWNLNX, XOR.DDOS and Groundhog.
RedXOR’s identify comes from the truth that it encodes its community information with a scheme based mostly on XOR, and that it is compiled with a legacy GCC compiler on an outdated launch of Crimson Hat Enterprise Linux, suggesting that the malware is deployed in focused assaults in opposition to legacy Linux techniques.
Other than the overlaps by way of the general circulate and functionalities and using XOR encoding between RedXOR and PWNLNX, the backdoor takes the type of an unstripped 64-bit ELF file (“po1kitd-update-k”), full with a typosquatted identify (“po1kitd” vs. “polkitd”), which, upon execution, proceeds to create a hidden listing to retailer recordsdata associated to the malware, earlier than putting in itself on the machine.
Moreover, the malware comes with an encrypted configuration that homes the command-and-control (C2) IP deal with and port, and the password it must authenticate to the C2 server, earlier than establishing connection over a TCP socket.
What’s extra, the communications aren’t solely disguised as innocent HTTP site visitors, however are additionally encoded each methods utilizing an XOR encryption scheme, the outcomes of that are decrypted to disclose the precise command to be run.
RedXOR helps a large number of capabilities, together with gathering system data (MAC deal with, username, distribution, clock velocity, kernel model, and many others.), performing file operations, executing instructions with system privileges, operating arbitrary shell instructions, and even choices to remotely replace the malware.
Customers victimized by RedXOR can take protecting measures by killing the method and eradicating all recordsdata associated to the malware.
If something, the newest growth factors to a rise within the variety of lively campaigns focusing on Linux techniques, partly as a result of widespread adoption of the working system for IoT gadgets, internet servers, and cloud servers, main attackers to port their current Home windows instruments to Linux or develop new instruments that assist each platforms.
“Among the most outstanding nation-state actors are incorporating offensive Linux capabilities into their arsenal and it is anticipated that each the quantity and class of such assaults will improve over time,” Intezer researchers outlined in a 2020 report charting the final decade of Linux APT assaults.