Qihoo 360's Netlab security team has discovered a new Linux platform backdoor Trojan whose goal is to incorporate machines into botnets and act as a conduit for downloading and installing rootkits. The backdoor is named "B1txor20" because its filename is 'b1t', and it propagates using the XOR encryption algorithm and the RC4 algorithm key length of 20 bytes.
B1txor20 was first observed to propagate through a Log4j vulnerability on February 9, 2022, and it leverages DNS Tunnel technology to establish a communication channel with a command and control (C2) server by encoding data in DNS queries and responses ( supports direct and medium Following 2 methods ), the backdoor Trojan that uses zlib compression, RC4 encryption, and BASE64 encoding to protect traffic is currently spread through the Log4j vulnerability, mainly targeting Linux platforms with ARM and X64 CPU architectures.
In addition to the traditional backdoor function, B1txor20 also has functions such as enabling Socket5 proxy, downloading and installing rootkit remotely, and rebounding Shell . These functions can easily turn the intruded device into a springboard for subsequent infiltration.
At present, the main functions of B1txor20 are as follows:
- SHELL
- Proxy
- execute arbitrary commands
- Install rootkit
- Upload sensitive information
But in fact, B1txor20 supports a total of 15 functions, but some functions are not enabled, and some functions have bugs... So it is very likely that some B1txor20 variants will appear later.
The basic flow chart of the working of B1txor20 is as follows:
The 360 netlab team's blog post details the cracking process of the reverse analysis of the Trojan, and it turns out that the team behind the B1txor20 bought six years of domain names in one go:
It seems that the production team is very confident in the Trojans they have created.