On Wednesday, March 10, 2021, Intezer Researchers revealed a new malware targeting Linux endpoints and servers. Researchers dubbed this “undocumented backdoor” as REDXOR for its “network data encoding scheme based on XOR.” Researchers believe REDXOR was developed by sophisticated Chinese bad actors. The malware was uploaded from Taiwan and Indonesia. Furthermore, through their investigation, Intezer was able to identify key similarities with this attack and previous attacks from the China-based Winnti Group.
The malware was compiled on Red Hat Enterprise Linux. This “undocumented backdoor” disguises itself as Polkit daemon. Once executed, REDXOR splits a “child” process off, thus allowing the “parent” process to exit. The purpose of this is described to “detach the process from the shell”. This “child” then determines if its been executed as a root user or another user. Reason being, for the “child” to create a hidden folder to disguise itself, called “.po1kitd.thumb” which is created on the user’s home folder, it is then used to store malware related folders. The file then becomes locked to the running process, basically creating a mutex.
Following this mutex, the malware then installs onto an infected machine. The malware then communicates with command and the control server under the guise of HTTP/URL traffic. Worse over, the malware can be updated by the bad actor.
Linux users targeted/victimized by REDXOR should locate any files related to this malware and remove them and kill the process. Furthermore, users should ensure they are running only clean and trusted code.
While Linux is not as targeted as other OS, they have in recent years seen an increase in attacks and attack attempts. Since Linux has been a more widely adopted OS for cloud servers, IoT and more, this has encouraged bad actors to develop new and more sophisticated tactics to attack the Linux OS.