IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Chinese hackers target Linux systems with RedXOR backdoor

Linux servers hit by malware developed using an end-of-life Red Hat compiler

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Related Resource

Address multi-cloud configuration risks

Cloud security challenges and how to overcome them

Cloud security challenges and how to overcome them - webinar from Trend MicroWatch now

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of "on and off" availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets - all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022