AL2021_07 Linux Systems Facing Attacks by RedXOR Malware (12th March 2021)

Description

It is being reported that Linux systems are under attack by a new malware carrying the name RedXOR which is believed to have been developed by cyber criminals of the Winnti Threat group.

Summary

RedXOR gets its name due to its network data-encoding scheme which is based on the XOR encryption algorithm and because samples were found on an old release of the Red Hat Enterprise Linux platform. This malware is used in targeted attacks on legacy Linux systems.

How it works

While the initial compromise in this campaign is unknown there are some common entry points to a Linux environment such as use of compromised credentials or by exploiting a vulnerability or misconfiguration.

After execution, RedXOR creates a hidden folder called “.po1kitd.thumb” inside a home folder, which is then utilized to store files related to the malware. Then, it creates a hidden file “.po1kitd-2a4D53” inside this folder. The malware then installs a binary to the hidden folder called “.po1kitd-update-k”, and sets up persistence via “init” scripts. The malware stores the configuration encrypted within the binary. In addition to the command-and-control (C2) IP address and port, it can also be configured to use a proxy. The configuration includes a password which is used by the malware to authenticate to the C2 server.

After establishing this configuration, the malware then communicates with the C2 server over a TCP socket, and can execute various different commands (via a command code). These commands include: uploading, removing or opening files, executing shell commands, tunneling network traffic and writing content to files.

Solution

It is recommended that users ensure that they have the latest packages installed on their systems. There are a few Linux security tools such as rkhunter, lynis, chkrootkit, clamav and LMD, that can be used to ensure systems are safe. Given that most malware attacks are Zero-Day it is very unlikely that these tools will be able to detect this malware from the time of compromise.

For further information on this, please follow the URL:

https://threatpost.com/linux-systems-redxor-malware/164689/

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

Reference