A new backdoor targeting Linux systems has been recently unearthed by security researchers that are suspected to be linked to a group of Chinese threat actors called the Winnti group.

The backdoor, named RedXOR. Is observed to be applying a network data-encoding strategy founded on the basis of the XOR algorithm encryption and hence has been named partly thus. The XOR evidence was detected as old samples in a previous version of the Red Hat Enterprise Linux platform.

To the unaware, a backdoor is a method of bypassing the typical authentication processes to any system. Threat actors can potentially penetrate these backdoors and can gain access to sensitive files and codes.

Detailing the backdoor, experts claim to have detected an assortment of malicious abilities that range from the ability to scour through and extract data to rerouting network traffic to malicious endpoints and websites. 

Since Linux systems seem to be infested with these backdoors, some customary entry gates to them incle the exploitation of compromised credentials as well as the exploitation of common misconfigurations or vulnerabilities.

The probabilities of the launch compromise being implemented via another endpoint have also been put forth giving malicious actors the ability to move laterally to a Linux system wherein the malware has been disseminated. 

When VirusTotal, an internet security and analyzer website, uploaded two different sources from Taiwan and Indonesia for the malware or backdoor, it was then detected that at least two entities have come across the samples.

Executing the Linux systems backdoor:

When the backdoor, i.e RedXOR is executed, it produces a cloaked file in the main file. This hidden file is called the “.po1kitd.thumb” file which is then implemented to store files linked to the malware. 

Dont miss,

Subsequently, the malware installs a binary to the cloaked file called the “.po1kitd-update-k” and settles constancy through “init” scripts.

The configuration is then saved by the malware in the binary which then communicates with the C2 server. This connection can now implement various commands including uploading, opening, and removing files, executing shell commands, as well as rerouting network traffic, and modifying file content. 

Authentication of the C2(command-and-control) server is configured using the password gained by configuring the proxy.

All of the executable commands can be exploited by threat actors for lucrative or any other types of advantages.

Chinese group link to Linux systems malware:

As for the link to the Chinese threat actor group, Winnti, cybersecurity experts and analyzer detected fundamental similarities in this Linux system malware i.e RedXOR and other formerly disclosed malware directly linked to the Winnti group.

These include the PWNLNX backdoor, the XOR.DDOS botnet as well as the Groundhog botnet.  

The Winnti group has made previous news rounds for being a state-sponsored hacker group running financial and cyber espionage criminal activities.

Perhaps, the most remarkable parallels between in the novel malware can be zeroed down to the usage of open-source kernel rootkits implemented to make their processes invisible; the usage of the CheckLKM function name, as well as network encryption with XOR. 

Linux Systems facing increasing cyber-issues:

Since Linux systems are widely used mainly by organizations, both large scale, and small scale, to host data or backlogs on the public cloud, they have been reportedly increased cases of cybersecurity issues and concerns being experienced by them.

According to global statistics for Linux systems deployed around the globe, a whopping 40% percent hike in new Linux system malware agents has been observed.

This in itself sets a new record of malware families for Linux systems sitting at 56 malware strains. 

Other hacker groups that are increasingly targeting Linux systems are the APT28, APT29, and Carbanak groups who have reportedly developed Linux System versions of their traditional malware.