A new Linux botnet is using the infamous Log4j vulnerability to install rootkits and steal data.
Researchers at Chinese internet security company Qihoo’s 360’s Network Security Research Lab discovered the botnet family, which they dubbed B1txor20, as it was infecting new hosts via the Log4j vulnerability. It primarily targets Linux Arm and x64 CPU-based systems.
“In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit,” the threat researchers wrote.
In total, 360 Netlab nabbed found four different B1txor20 samples that the threat researchers said support 15 functions. In addition to those mentioned above, these include reading and writing files, starting and stopping proxy services and running reverse shells.
They also noted that the malware wasn’t using all of its nefarious features (such as uploading “/boot/conf- XXX” info), and that some of these have bugs. One of the buggy bits deletes the socket file after binding the domain socket, “which makes the socket unconnectable and thus the whole function is useless,” 360 Netlab noted.
However, the threat researchers aren’t putting it past the criminals to call on the unused code or fix the bugs in the future.
“We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20’s siblings in the future,” the security firm added.
Because the popular Apache Log4j logging library is so widely used among enterprise apps and cloud services, the remote code execution flaw made an especially attractive exploit for criminals. Since the Log4j vuln was disclosed late last year, several malware groups have taken advantage of this attack vector.
The 360 Netlab researchers note: “Elknot, Gafgyt, Mirai are all too familiar.” B1txor20 is just the latest example of Log4v instances still remaining vulnerable.
Here’s how the new botnet works. The malware uses DNS tunnel tech to establish command-and-control (C2) communications and disguise the backdoor Trojan traffic. Then the bots wait to execute any malicious commands sent by the C2 server.
As the security shop explained:
And finally, in what they deemed a “small note,” the threat researchers said the domain name has been registered for six years, “which is kind [of] unusual?” Or maybe it points to excellent planning on the part of the miscreants. ®