The malware uses DNS tunneling for communications

A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies.

The new botnet was revealed by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab). Named it B1txor20. The malware focuses its attacks on Linux ARM, X64 CPU architecture devices.

“Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon,” the researchers write. “What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system. We decided to take a close look, and indeed, it is a new botnet family,” they confirmed.

TIP: Also read our summary and analysis of the Log4Shell/Log4j zero-day.

A backdoor to the Linux platform

“In short, B1txor20 is a Backdoor for the Linux platform,” they conclde. It uses DNS Tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit.

They have captured a total of four different B1txor20 samples. Their functions are almost the same, a total of 15 function numbers are supported. According to these functions, B1txor20 can be characterized as using a DNS Tunnel to establish C2 channel, support direct connection and relay, while using ZLIB compression, RC4 encryption, BASE64 encoding to protect the traffic of the backdoor Trojan, mainly targets ARM, X64 CPU architecture of the Linux platform.

The researchers also found that many developed features are not in us (in IDA, there is no cross-reference). Some features have bugs. “We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20’s siblings in the future,” they add.