New backdoor malware targeting Linux operating systems has been discovered, hiding as a polkit daemon. It is has been named RedXOR for its network data encoding scheme based on XOR.
Analysing the Tactics, Techniques, and Procedures (TTPs), RedXOR is thought to be developed by Chinese threat actors. The malware samples have low detection rates in VirusTotal, and is used in targeting attacks against legacy Linux systems.
There are also many similarities between RedXOR and the reported malware associated with Winnti umbrella threat group known as the PWNLNX backdoor, as well as to XOR.DDOS and Groundhog, two botnets attributed to Winnti by BlackBerry. The below samples can be used for reference:
The samples are both unstripped 64-bit ELF files called po1kitd-update-k. Similarities between the samples includes the use of old open-source kernel rootkits, both use the CheckLKM function, and both provide the attacker with a pseudo-terminal using Python pty shells and many other similarities.
The malware makes a remote connection to the command and control server over a TCP socket. The traffic is made to look like HTTP traffic. The command and control server instructs the malware to execute different commands returned in the JSESSIONID cookie. The malware can also be updated by the attacker by sending commands to the malware. The malware can also create new remote shells to get a pseudo-terminal (pty) interface and can perform network tunnelling.
How to Detect and Respond
Use the information below to detect and respond this threat. We suggest using the following indicators of compromise to ensure the RedXOR and the files it creates do not exist in your environment:
Indicators of Compromise
RedXOR Hashes
0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
0423258b94e8a9af58ad63ea493818618de2d8c60cf75ec7980edcaa34dcc919
Network
update[.]cloudjscdn[.]com
158[.]247[.]208[.]230
34[.]92[.]228[].216
Process name
po1kitd-update-k
File and directories created on disk
.po1kitd-update-k
.po1kitd.thumb
.po1kitd-2a4D53
.po1kitd-k3i86dfv
.po1kitd-nrkSh7d6
.po1kitd-2sAq14
.2sAq14
.2a4D53
po1kitd.ko
po1kitd-update.desktop
S99po1kitd-update.sh
Follow these steps if you are a victim of this malware:
- Kill the process.
- Delete all files related to the malware.
- Make sure your machine is clean and running only trusted code.
- Contact the Experts for assistance if needed.
Node Prevent
When you purchase one of our cyber insurance policies you’ll receive vital cybersecurity updates such as this and online training courses to keep your employees up-to-date with the current cyber threats.
