In a recent development, a newly found botnet aims to entangle Linux devices into an army of bots ready to steal sensitive information, install rootkits, create reverse shells, and operate as web traffic proxies. Researchers at Qihoo 360’s Network Security Research Lab (360 Netlab) have called the newly discovered malware B1txor20. It targets Linux ARM and X64 CPU architecture systems.
The botnet infects new systems using exploits targeting the Log4J vulnerability, a particularly enticing attack vector given that hundreds of businesses use the insecure Apache Log4j logging module. The B1txor20 botnet was initially discovered on February 9 when the first sample was caught in one of the researchers’ honeypot systems. They found four malware samples, each with backdoor, SOCKS5 proxy, malware downloading, data stealing, arbitrary command execution, and rootkit installation capabilities.
The use of DNS tunneling for communication channels with the command-and-control (C2) server distinguishes the B1txor20 malware. DNS tunneling is an old but still reliable method used by cybercriminals to exploit the DNS protocol to tunnel malware and data via DNS requests.
“Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request,” the researchers clarified. “After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.”
According to 360 Netlab experts, the malware’s makers added a more extensive range of functionalities, although not all of them are activated. This is most likely a hint that the disabled features are still problematic, and B1txor20’s makers are working on improving them to be toggled on in the future. The 360 Netlab report includes additional information, such as indications of compromise (IOCs) and a list of all supported C2 commands.
Since its release, Log4Shell vulnerabilities have been exploited by various threat actors, including state-sponsored hacker organizations affiliated to governments in China, Iran, North Korea, and Turkey, as well as access brokers employed by ransomware gangs. For example, they discovered in December that threat actors are leveraging the Log4J security issue to infect susceptible Linux systems with Mirai and Muhstik Linux malware.
These botnets have been spotted “recruiting” IoT devices and servers to deploy crypto miners and launch large-scale DDoS attacks. 360 Netlan reported earlier this month that Barracuda had discovered a variety of payloads targeting weak Log4j deployments, with Mirai botnet versions used for DDoS and crypto-mining accounting for the majority of them.
