Researchers from Intezer have discovered a new sophisticated backdoor, tracked as RedXOR, that targets Linux endpoints and servers. The malware was likely developed by the China-linked cyber espionage group Winnti.

“RedXOR” masquerades as a polkit daemon, it presents many similarities with malware (PWNLNX backdoor and XOR.DDOS and Groundhog) employed in past cyber espionage campaigns attributed to the Winnti group.

The malware encodes its network data with an encoding scheme based on XOR, experts also noticed that the samples they analyzed have been compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, This circumstance suggests that the malware was employed in targeted attacks against legacy Linux systems.

RedXOR, like other Winnti malware, PWNLNX and XOR.DDOS, are unstripped 64-bit ELF file.(“po1kitd-update-k”).

Upon execution, the malware creates a hidden folder , called “.po1kitd.thumb”, where it stores its files then launches the installation of the system. RedXOR forks a child process allowing the parent process to exit to detach the process from the shell.

The new child determines if it has been executed as the root user or as another user on the system. It does this to create a hidden folder, called “.po1kitd.thumb”, inside the user’s home folder which is used to store files related to the malware. The malware creates a hidden file called “.po1kitd-2a4D53” inside the folder.

The malware stores the configuration encrypted within the binary, it includes the Command and control (C2) IP address, port, a password to authenticate the malware to the C2, and settings to eventually work as a proxy. .

The malware uses the “doXor” function to decrypt the configuration values, the decryption logic is a simple XOR against a byte key then it’s communicates with C2 server

RedXOR supports multiple commands to implement multiple capabilities including gathering system information updating the malware, performing file operations, providing operator with a “tty” shell, executing commands with system privileges, and running arbitrary shell commands.