Security researchers at Intezer have discovered a previously undocumented backdoor dubbed RedXOR, with links to a Chinese-sponsored hacking group and used in ongoing attacks targeting Linux systems.
The RedXOR malware samples found by Intezer were uploaded to VirusTotal (1, 2) from Taiwan and Indonesia (known targets for Chinese state hackers) and have low detection rates.
Based on command-and-control servers still being active, the Linux backdoor is being used in ongoing attacks targeting both Linux servers and endpoints.
RedXOR comes with a large set of capabilities, including executing commands with system privileges, managing files on infected Linux boxes, hiding its process using the Adore-ng open-source rootkit, proxying malicious traffic, remote updating, and more.
Links to Chinese Winnti malware
The new malware is believed to be a new malicious tool added to China’s Winnti umbrella threat group’s arsenal.
“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” Intezer said.
Intezer also found multiple connections between the RedXOR Linux backdoor and multiple malware strains linked to the Winnti state hackers, including the PWNLNX backdoor and the Groundhog and XOR.DDOS botnets.
Similarities discovered by the security researchers while comparing these malware strains include the use of:
- old open-source kernel rootkits,
- identically named functions,
- XOR-encoded malicious traffic,
- comparable naming scheme for persistence services,
- compilation using legacy Red Hat compilers,
- very similar code flow and functionality, and more.
Who is Winnti?
Winnti is an umbrella term used to track a collective of state-backed hacking groups (BARIUM by Microsoft, APT41 by FireEye, Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike) linked to Chinese government interests.
These APT groups share an arsenal of malicious tools used in cyberespionage and financially motivated attacks since at least 2011.
That is when Kaspersky researchers discovered Winnti’s Trojan malware on a massive number of compromised gaming systems following a supply chain attack that compromised a game’s official update server.
Kaspersky also revealed evidence connecting Winnti attack tactics and methods used in the compromise of ASUS’ LiveUpdate during Operation ShadowHammer to the ones employed in other supply-chain attacks, including NetSarang and CCleaner from 2017.
APT groups increasingly target Linux users
The discovery of new is not at all surprising, taking into account the over 40% increase in new Linux malware found during 2020.
Nation-state hackers also focus more and more on targeting Linux systems, as highlighted by a 2020 Intezer report summarizing the last ten years of Linux APT attacks.
“In the previous decade researchers discovered several large APT campaigns targeting Linux systems, as well as unique Linux malware tools tailored for espionage operations,” Intezer said.
“Some of the most prominent nation-state actors are incorporating offensive Linux capabilities into their arsenal and it’s expected that both the number and sophistication of such attacks will increase over time.”