Researchers Discover New Backdoor Targeting Linux Endpoints Named ‘RedXOR’
Researchers at Intezer have uncovered a new, sophisticated, backdoor that is targeting Linux endpoints and servers. Based on the Tactics, Techniques, and Procedures, the backdoor is believed to be developed by Chinese nation-state actors. Named “RedXOR,” the backdoor masquerades itself as a polkit daemon due to its network data encoding scheme based on XOR. The malware was compiled on Red Hat Enterprise Linux.
The samples being analyzed by researchers have low detection rates in VirusTotal, and were uploaded from Indonesia and Taiwan, countries known to be targeted by Chinese threat actors. During their investigation, researchers also experienced an “on and off” availability of the Command and Control server, likely indicating that the campaign is still active. Several key similarities between RedXOR and the previously reported malware associated with the Winnti threat group, were also observed. The malwares are the PWNLNX backdoor and the XOR.DDOS and Groundhog botnets.
IOCs
- RedXOR
- 0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
- 0423258b94e8a9af58ad63ea493818618de2d8c60cf75ec7980edcaa34dcc919
- Network
- update[.]cloudjscdn[.]com
- 158[.]247[.]208[.]230
- 34[.]92[.]228[].216
- Process Name
- po1kitd-update-k
- File and Directories Created on Disk
- .po1kitd-update-k
- .po1kitd.thumb
- .po1kitd-2a4D53
- .po1kitd-k3i86dfv
- .po1kitd-nrkSh7d6
- .po1kitd-2sAq14
- .2sAq14
- .2a4D53
- po1kitd.ko
- po1kitd-update.desktop
- S99po1kitd-update.sh