Hackers are targeting legacy Linux devices with advanced malware considered to have been created by cyber criminals backed by the Chinese condition.
The malware, branded RedXOR, encodes its network facts with a plan based mostly on the XOR Boolean logic procedure utilized in cryptography, and is compiled with a legacy compiler on an older release of Purple Hat Enterprise Linux (RHEL).
This, according to Intezer scientists, suggests RedXOR is staying utilized in specific attacks versus legacy devices.
Its operators deploy RedXOR to infiltrate Linux endpoints and methods in get to search data files, steal info, add or obtain information, as properly as tunnel network website traffic. The backdoor is also challenging to identify, disguising alone as a polkit daemon, which is a qualifications process for running a component that controls program-huge privileges.
“Based on victimology, as effectively as comparable elements and Practices, Strategies, and Techniques (TTPs), we feel RedXOR was made by large profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.
“Linux systems are beneath constant attack provided that Linux runs on most of the community cloud workload. Alongside with botnets and cryptominers, the Linux threat landscape is also residence to refined threats like RedXOR produced by nation-condition actors.”
On installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as portion of its endeavours to disguise by itself as the polkit daemon. The malware then communicates with the command and handle server in the guise of HTTP traffic, from where by guidelines are then sent.
Researchers have monitored the server issuing a total of 19 independent instructions, including requesting technique information and facts and issuing updates to the malware. The presence of “on and off” availability in the command and command server also suggests the procedure is nonetheless active, the scientists assert.
To construct the backdoor, the hackers utilised the Crimson Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was very first produced in 2010.
Mainstream aid for RHEL 6 only finished lately, in November 2020, meaning a swathe of servers and endpoints are very likely even now working RHEL 6. Intezer, on the other hand, has not disclosed the selection of, or mother nature of, the victims it is identified. In accordance to Enlyft, roughly 50,000 organizations use RHEL installations.
Although the discovery of Linux malware families has greater in the latest times, backdoors attributed to state-of-the-art threat groups, such as nation state-backed attackers, are much rarer.
Scientists are assured in their attribution, having said that, determining 11 distinct similarities involving RedXOR and the PWNLNX backdoor, as very well as parallels with the XOR.DDOS and Groundhog botnets – all affiliated with hackers supported by the Chinese condition.
The samples uncovered had been also uploaded from Indonesia and Taiwan, nations around the world regarded to be focused by point out-backed hackers functioning from China.
Some elements of this write-up are sourced from: