Data Security

Chinese hackers using RedXOR backdoor against Linux systems

RedXOR is incredibly extensive malware that can steal data, gather system information such as the MAC address, username, clock speed, distribution, clock speed, and kernel version.


Chinese state-sponsored hackers have been pretty active lately. Just last week Microsoft revealed that its Exchange Email server was targeted by Chinese hackers after which 30,000 organizations across the globe are at risk. This includes European Banking Authority (EBA) who has already acknowledged that hackers were in its email system.

RECENT: Ongoing ‘FreakOut’ malware attack turns Linux devices into IRC botnet

But now, another group of Chinese state-sponsored hackers has been found using a new Linux malware capable of stealing personal data and browsing data from a targeted system.

Chinese State-Sponsored Hackers Deploying RedXOR on Legacy Linux Systems.

The IT security researchers at Intezer have discovered that hackers are targeting legacy Linux systems with RedXOR malware, which is developed by Chinese state-sponsored hackers.

It is worth noting that Linux systems are regularly targeted because most of the public cloud workload is run on these systems.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.” 

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers.


How it works

Researchers Avigayil Mechtinger and Joakim Kennedy from Intezer revealed that malware operators are deploying RedXOR to infiltrate Linux systems and endpoints to steal data, browse files, upload/download data, and tunnel network traffic. 

RedXOR encodes its network data with an XOR Boolean logic operations-based scheme, often used in cryptography. Then the data is compiled through a legacy compiler on an older version of Red Hat Enterprise Linux.

Malware Disguises itself as a Background Process

This backdoor is challenging to detect as it successfully disguises itself as a background process called polkit daemon to manage a component that controls system-wide privileges.

LATEST: Deleted Keybase chat images retrievable on Windows, macOS, Linux

Polkit is an authorization defining and handling toolkit used to enable unprivileged processes to communicate with privileged processes. Researchers have found similarities between RedXOr and threat group Axiom or Winnti Umbrella-associated malware like Groundhog, PWNLNX, and XOR.DDOS.

RedXOR Bioasts Encrypted Configuration.

Reportedly, the malware has an encrypted configuration, which houses the C2 IP address, port, and the password it requires to authenticate the server prior to establishing a connection over a TCP socket. The communications are disguised as HTTP traffic and also encoded using the XOR encryption scheme. The results are decrypted to reveal which command is to be run.


RedXOR Supports Extensive Capabilities

The functions of RedXOR are incredibly extensive. It can gather system information such as the MAC address, username, clock speed, distribution, clock speed, and kernel version.

Moreover, it can execute commands with system privileges, run arbitrary shell commands, perform file operations, and remotely update the malware. 

You can prevent RedXOR malware invasion by taking protective measures. You can either kill the process or delete all malware-related files to stay protected.


Comments
To Top