Cybersecurity researchers at Intezer reported a new sophisticated backdoor targeting Linux endpoints and servers. Intezer believes Chinese nation-state actors are behind it.
The backdoor, dubbed “RedXOR” by Intezer, acts as a polkit daemon and shares similarities with the malware associated with Winnti Umbrella (or Axiom) threat group such as PWNLNX, Groundhog, and XOR.DDOS.
RedXOR encodes its network data with a method based on XOR and is compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux. It was designed to specifically target Linux systems.
According to Intezer, there two samples of the malware that were uploaded from Indonesia and Taiwan around Feb. 23-24, countries with links to China threat groups.
The backdoor takes the form of an unstripped 64-bit ELF file with the name “po1kitd-update-k” which, upon execution, creates a hidden directory in which it stores files and then installs itself on the compromised machine.
Polkit, malware designed for defining and handling authorizations, provides a hacker “with unprivileged processes to communicate with privileged processes,” researchers explain. The malware comes with an encrypted configuration for the command-and-control (C2) IP address and port, and the password it needs for authenticating to the C2 server.
RedXOR disguises communications as harmless HTTP traffic and also encodes both ways using XOR encryption.
RedXOR allows cybercriminals who control it to gather system information (MAC address, username, distribution, clock speed, etc.), perform file operations, execute commands with system privileges, and run arbitrary shell commands.
Intezer says users whose machines had been infected by RedXOR can protect themselves by killing the process and removing malware files.
Intezer predicts that the number and sophistication of attacks on Linux systems will increase in 2021.
“Some of the most prominent nation-state actors are incorporating offensive Linux capabilities into their arsenal,” Intezer researchers said in its 2020 report.