Chinese hackers target Linux systems with RedXOR backdoor


Keumars Afifi-Sabet

11 Mar, 2021

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of «on and off» availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.