A previously unknown backdoor targeting Linux systems has been discovered, which acts as a conduit to connect machines to a botnet and then downloads and installs rootkits. The malware was named B1txor20 because it spreads carrying the b1t filename, the XOR encryption algorithm, and a key length of 20 bytes in the RC4 algorithm. The malware was discovered spreading via the ‘Log4j’ vulnerability for the first time on February 9, 2022. It uses a technique known as DNS tunnelling to establish communication channels with command and control(C&C) servers by encoding data in DNS queries and responses.
The malware is also said to actively exploit the ‘Log4Shell’ vulnerability, which was discovered in mid-December of 2021 by Apache Software Foundation. Upon discovery, the development team released an emergency security update that fixed a zero-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Services project.
Despite several shortcomings, 'B1txor20' should still be considered a serious threat since it currently supports functions such asobtaining a shell, executing arbitrary commands, installing a rootkit, opening a SOCKS5 proxy, and restoring sensitive information to the C2 server. When malware successfully compromises a machine, it uses the DNS tunnel to receive and execute commands sent by the server. After covering up the stolen sensitive information, command execution results, and other information with specific coding techniques, the bot sends a DNS request to C2. In response to the DNS request, C2 sends the payload to the bot side. Bot and C2 communicate using the DNS protocol in this manner.
The malware is able to load system information, execute arbitrary system commands, read and write files, start or stop proxy services, and create reverse shells.
Solution
Users who choose to integrate the ‘DNS and Security Gap Visibility’ solution in to their current EDR solution, are able to detect the specific applications that send queries to these suspicious domains. In other words, the files, executables, and applications infected as a result of the ‘Log4J’ vulnerability can be directly identified.
