Security researchers at Intezer have discovered a previously undocumented backdoor, which currently is used in ongoing attacks aimed at Linux systems.
Dubbed RedXOR for its network data encoding scheme based on XOR, the backdoor is believed to be the work of an advanced threat actor tied to China. The attribution was made based on victimology, similar components and Tactics, Techniques, and Procedures (TTPs), and some similarities between RedXOR and known malware (PWNLNX backdoor and XOR.DDOS and Groundhog botnets) previously associated with the Winnti umbrella threat group.
Intezer said that two samples of RedXOR, which they discovered, were uploaded on VirusTotal from Indonesia and Taiwan around Feb. 23-24, both countries known to be targeted by Chinese threat actors.
The malware comes in the form of unstripped 64-bit ELF files called po1kitd-update-k. Upon execution it forks off a child process allowing the parent process to exit in order to detach the process from the shell.
“The new child determines if it has been executed as the root user or as another user on the system. It does this to create a hidden folder, called “.po1kitd.thumb”, inside the user’s home folder which is used to store files related to the malware. The malware creates a hidden file called “.po1kitd-2a4D53” inside the folder. The file is locked to the current running process, if another instance of the malware is executed, it also tries to obtain the lock but ultimately fails. Upon this failure the process exits,” the researchers explain.
RedXOR communicates with its command and control server over a TCP socked and is able to perform various actions, such as gather system information (IP address, MAC address, username, kernel version, etc.), update/uninstall itself, open and remove files and folders, execute shell commands, create new folders and write content to file.
The more detailed technical information about this new threat, as well as Indicators of Compromise (IoCs) related to the malware are available in the Intezer report here.