Linux Systems Under Attack By New RedXOR Malware

Linux malware target

Researchers say the new RedXOR backdoor is targeting Linux systems with various data exfiltration and network traffic tunneling capabilities.

Researchers have discovered a new backdoor targeting Linux systems, which they link back to the Winnti threat group.

The backdoor is called RedXOR – in part because its network data-encoding scheme is based on the XOR encryption algorithm, and in part because its samples were found on an old release of the Red Hat Enterprise Linux platform. The latter fact provides a clue that RedXOR is utilized in targeted attacks against legacy Linux systems, noted researchers.

The malware has various malicious capabilities, said researchers – from exfiltrating data to tunneling network traffic to another destination.

“The initial compromise in this campaign is not known but some common entry points to Linux environments are: Use of compromised credentials or by exploiting a vulnerability or misconfiguration,” Avigayil Mechtinger, security researcher with Intezer, told Threatpost. “It is also possible the initial compromise was via a different endpoint, meaning the threat actor laterally moved to a Linux machine where this malware was deployed.”

The samples were detected after being uploaded to VirusTotal from two different sources in Indonesia and Taiwan. Researchers told Threatpost that based on this, it is likely that at least two entities have discovered the malware in their environment.

RedXOR Malware: Cybersecurity Threat
After execution, RedXOR creates a hidden folder (called “.po1kitd.thumb”) inside a home folder, which is then utilized to store files related to the malware. Then, it creates a hidden file (“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to the hidden folder (called “.po1kitd-update-k”), and sets up persistence via “init” scripts.

“The malware stores the configuration encrypted within the binary,” said researchers, in a Wednesday analysis. “In addition to the command-and-control (C2) IP address and port, it can also be configured to use a proxy. The configuration includes a password… This password is used by the malware to authenticate to the C2 server.”

After establishing this configuration, the malware then communicates with the C2 server over a TCP socket, and can execute various different commands (via a command code). These commands include: uploading, removing or opening files, executing shell commands, tunneling network traffic and writing content to files.

Chinese Threat Actor Connection
Researchers said they found “key similarities” between RedXOR and other previously reported malware that is associated with Winnti: the PWNLNX backdoor, the XOR.DDOS botnet and the Groundhog botnet. The Winnti threat group (a.k.a. APT41, Barium, Wicked Panda or Wicked Spider) is known for nation-state-backed cyber-espionage activity as well as financial cybercrime.

These similarities include the use of open-source kernel rootkits (used for hiding their processes); the function name CheckLKM being used; network encoding with XOR; and various similarities in the main functions flow.

Also, “the overall code flow, behavior and capabilities of RedXOR are very similar to PWNLNX,” said researchers. “Both have file uploading and downloading functionalities together with a running shell. The network-tunneling functionality in both families is called ‘PortMap.’”

Malware Authors Eye Linux Systems
Researchers said that 2020 saw a 40-percent increase in new Linux malware families – a new record at 56 malware strains. Beyond Winnti, threat actors like APT28, APT29 and Carbanak are developing Linux versions of their traditional malware, they said.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload,” said Intezer researchers. “A survey conducted by Sophos found that 70 percent of organizations using the public cloud to host data or workloads experienced a security incident in the past year.”