
A backdoor found targeting Linux systems with the goal of corralling the machines into a botnet and acting as a conduit for downloading and installing rootkits dubbed B1txor20 based on its propagation using the file name ‘b1t,’ the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.
The malware leverages a technique called DNS tunneling to build communication channels with C2 servers by encoding data in DNS queries and responses which leverages Log4j Vulnerability
B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a SOCKS5 proxy, and functions to upload sensitive information back to the C2 server.
Once compromised, the malware utilizes the DNS tunnel to retrieve and execute commands sent by the server and send the data using encoding techniques to C2 hiding with
Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request.
Once received, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.
A total of 15 commands are implemented, chief among them being uploading system information, executing arbitrary system commands, reading and writing files, starting and stopping proxy services, and creating reverse shells.
Indicators of Compromise
webserv.systems
194.165.16.24:53
ldap://179.60.150.23:1389/o=tomcat
hxxp://194.165.16.24:8229/b1t_1t.sh
hxxp://194.165.16.24:8228/b1t
hxxp://194.165.16.24:8228/b1t
hxxp://194.165.16.24:8228/_run.sh
hxxp://194.165.16.24:8228/run.sh
hxxp://194.165.16.24:8228/share.sh
hxxp://194.165.16.24:8228/b1t
hxxp://194.165.16.24:8228/run.sh
hxxp://194.165.16.24:8228/run.sh
hxxp://194.165.16.24:8229/b4d4b1t.elf
194.165.16.24:443