B1txor20, A Linux Backdoor Using DNS Tunnel (17th March 2022)

Ref# AL2022_17 | Date: Mar 17th 2022


Researchers have discovered a new botnet in active development that aims to entangle Linux systems into an army of bots ready to steal sensitive information, install rootkits, create reverse shells, and operate as web traffic proxies.


The newly found malware, dubbed B1txor20 focuses its attacks on Linux ARM, X64 CPU architecture devices. This malware was first spotted on February 9 by researchers at Netlab 360. A total of four malware samples were captured with backdoor, SOCKS5 proxy, malware downloading, data theft, arbitrary command execution, and rootkit installing functionality.

How it works

For communication channels with the command-and-control (C2) server, the B1txor20 malware uses DNS tunneling. Bots provide stolen sensitive data, command execution results, and any other information that must be delivered to C2 via a DNS request, after disguising it with specific encoding techniques. The C2 sends the payload to the Bot side as a response to the DNS request. Bot and C2 can communicate using the DNS protocol in this fashion.


Computers are infected by botnets either by worm or virus that installs the bot, or when someone visits a malicious or non-trusted website that exploits a vulnerability in the browser and installs it.

  • Ensure all patches and updates are installed for all software and the operating system.
  • Avoid email attachments from suspicious or unknown sources.
  • Avoid downloads from Peer-to-Peer and file-sharing networks.
  • Do not click on suspicious links.
  • Install trusted antivirus software.
  • Disable unused ports.
  • Create secure passwords.

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: A Linux Backdoor Using DNS Tunnel.pdf