New malware compiled on Red Hat Enterprise Linux uses a network data encoding scheme based on XOR, creates a backdoor in systems that gives an attacker near full control over infected machines. (“Linux password file” by Christiaan Colen is licensed under CC BY-SA 2.0)
Researchers at Intezer found a new piece of malware targeting Linux endpoints and servers.
The malware, which Intezer calls RedXOR because it was compiled on Red Hat Enterprise Linux and uses a network data encoding scheme based on XOR, creates a backdoor in systems that gives an attacker near full control over infected machines. The researchers found two samples of the malware on VirusTotal, uploaded from Taiwan and Indonesia, and believe the campaign is still active.
Once deployed, RedXOR allows an attacker to browse files, upload and download files, exfiltrate data, deploy web shells or tunnel network traffic to another destination. Joakim Kennedy, a researcher at the company, told SC Media that the malware was designed “to be very stealthy” and needs to be compiled for the specific kernel version that’s actually running on targeted machines, making it more suited for compromising a handful of strategically-chosen endpoints rather than a broad-based attack.
“It runs at such a high level that they have the capability to do anything and hide the process, so in theory in could be invisible to any normal user or even a root user, the highest privilege user on the machine,” said Kennedy.
The malware requires some form of initial access as a first step, and while Intezer doesn’t know what was used from the samples that were uploaded, Kennedy said it would be “relatively simple” to pair it with an initial access exploit. The malware also has the ability to be updated, something that could allow the attackers to install new versions or evade detection from defenders.
“If the threat actor for some reason gets spooked and thinks that their infrastucture has been detected or reported or compromised in some way, they could then quickly just create a new version of the malware with a new command and control server,” said Kennedy.
The researchers believe RedXOR is being used by a hacking group tied to the Chinese government. It shares key similarities with previous malware and botnets used by Winnti Group, or APT 41, a threat group linked to the Chinese intelligence services with a penchant for targeting industries that are strategically important to Beijing. According to Kennedy, there are overlaps between the way RedXOR operates, the use of open-source kernel rootkits, coding language and the use of XOR to encode network data. While it’s always possible another threat group is mimicking the same tactics, techniques and procedures, Intezer has only ever seen these similarities in other Winnti Group campaigns.
“As far as we’ve seen, we haven’t come across this kind of behavior before, so it kind of has a very unique touch to it,” said Kennedy.
While malware targeting Linux operating systems has previously been viewed as rare, those perceptions are fast changing. 2020 was a banner year for Linux-based malware, with joint research from Intezer and IBM’s X-Force finding 56 Linux malware families, a 40% increase from 2019 and a 500% increase since 2010. The increase is being driven in part by cloud adoption strategies, with some sources estimating that as much as 90% of public cloud workloads run on Linux-based systems.