Chinese hackers target Linux systems with RedXOR backdoor

Linux servers hit by malware developed using an end-of-life Red Hat compiler

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Related Resource

Address multi-cloud configuration risks

Cloud security challenges and how to overcome them

Cloud security challenges and how to overcome them - webinar from Trend MicroWatch now

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of "on and off" availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets - all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021