According to Intezer, there are similarities found between the malware and the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog; and it is believed that Chinese nation-state threat actors are behind it. And the malware samples were uploaded from Indonesia and Taiwan, both countries that are known to be targeted by China-based threat groups.
The moniker "RedXOR" was derived from its network data which is encoded with a scheme based on XOR, and compiled with a legacy GCC compiler on old release of Red Hat Enterprise Linux, which perhaps suggests that the malware is targeted at legacy Linux systems.
RedXOR possesses capabilities, such as stealing system information, performing file operations, running arbitrary shell commands, and executing commands with system privileges, or even options to remotely update the malware.
How RedXOR Malware targets legacy Linux systems
RedXOR use of XOR encoding between RedXOR and PWNLNX, allows it to take the form of an unstripped 64-bit ELF file ("po1kitd-update-k"), complete with a typosquatted name ("po1kitd" vs. "polkitd"), that upon execution, creates a hidden directory to store files, before finally installing itself on Linux machine.
Besides the similarities in terms of the overall flow and functionalities, RedXOR comes with an encrypted configuration housing the command-and-control (C2) server and port, and password is needed to authenticate the C2 server, before establishing any connection over a TCP socket.
And the communications aren't only disguised as HTTP traffic, but also encoded on both ways using an XOR encryption scheme, which are decrypted to conceal the exact command.
How Users victimized by RedXOR can take protective measures?
Linux users who are already victimized by RedXOR can take protective measures by simply killing the system process and remove all files related to the malware.
But above all, as sophisticated attacks on Linux systems continue to increase over time, it is now necessary to protect your Linux system with advanced security software, especially for business or enterprise users.
No comments