RedXOR, a new powerful Linux backdoor in Winnti APT arsenal

Intezer experts have spotted a new strain of Linux backdoor dubbed RedXOR that is believed to be part of the arsenal of China-linked Winniti APT.

Researchers from Intezer have discovered a new sophisticated backdoor, tracked as RedXOR, that targets Linux endpoints and servers. The malware was likely developed by the China-linked cyber espionage group Winnti.

“We have discovered an undocumented backdoor targeting Linux systems, masqueraded as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR.” reads the analysis published by Intezer.

“RedXOR” masquerades as a polkit daemon, it presents many similarities with malware (PWNLNX backdoor and XOR.DDOS and Groundhog) employed in past cyber espionage campaigns attributed to the Winnti group.

polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes:

The malware encodes its network data with an encoding scheme based on XOR, experts also noticed that the samples they analyzed have been compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, This circumstance suggests that the malware was employed in targeted attacks against legacy Linux systems.

Intezer researchers analyzed two samples of the malware that were uploaded from Indonesia and Taiwan on February 23 and 24.

RedXOR, like other Winnti malware, PWNLNX and XOR.DDOS, are unstripped 64-bit ELF file.(“po1kitd-update-k”).

Upon execution, the malware creates a hidden folder , called “.po1kitd.thumb”, where it stores its files then launches the installation of the system. RedXOR forks a child process allowing the parent process to exit to detach the process from the shell.

“The new child determines if it has been executed as the root user or as another user on the system. It does this to create a hidden folder, called “.po1kitd.thumb”, inside the user’s home folder which is used to store files related to the malware. The malware creates a hidden file called “.po1kitd-2a4D53” inside the folder.” continues the report. “The file is locked to the current running process essentially creating a mutex. If another instance of the malware is executed, it also tries to obtain the lock but ultimately fails. Upon this failure the process exits.”

The malware stores the configuration encrypted within the binary, it includes the Command and control (C2) IP address, port, a password to authenticate the malware to the C2, and settings to eventually work as a proxy. .

The malware uses the “doXor” function to decrypt the configuration values, the decryption logic is a simple XOR against a byte key. 

The malware communicates with the C2 server over a TCP socket and the traffic is disguised as HTTP traffic.

RedXOR extracts “JSESSIONID”, “Content-Length”, “Total-Length” and the response body, where the JSESSIONID value holds the command ID for the job the C2 wants the malware to perform.

RedXOR supports multiple commands to implement multiple capabilities including gathering system information (i.e. MAC address, username, distribution, clock speed, kernel version, etc.), updating the malware, performing file operations, providing operator with a “tty” shell, executing commands with system privileges, and running arbitrary shell commands.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. A survey conducted by Sophos found that 70% of organizations using the public cloud to host data or workloads experienced a security incident in the past year.” concludes the experts.

“Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RedXOR)

[adrotate banner=”5″]

[adrotate banner=”13″]