12 March 21, 08:40
Quote:Researchers have discovered a new backdoor targeting Linux systems, which they link back to the Winnti threat group.
The backdoor is called RedXOR – in part because its network data-encoding scheme is based on the XOR encryption algorithm, and in part because its samples were found on an old release of the Red Hat Enterprise Linux platform. The latter fact provides a clue that RedXOR is utilized in targeted attacks against legacy Linux systems, noted researchers.
The malware has various malicious capabilities, said researchers – from exfiltrating data to tunneling network traffic to another destination.
“The initial compromise in this campaign is not known but some common entry points to Linux environments are: Use of compromised credentials or by exploiting a vulnerability or misconfiguration,” Avigayil Mechtinger, security researcher with Intezer, told Threatpost. “It is also possible the initial compromise was via a different endpoint, meaning the threat actor laterally moved to a Linux machine where this malware was deployed.”
The samples were detected after being uploaded to VirusTotal from two different sources in Indonesia and Taiwan. Researchers told Threatpost that based on this, it is likely that at least two entities have discovered the malware in their environment.
Read more: Linux Systems Under Attack By New RedXOR Malware | Threatpost