[MART] - Daily Diary #471 - B1txor20, A New Linux Botnet

CTAS-MAT ctas-mat at appgate.com
Wed Mar 16 19:21:20 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

03/16/2022 - Diary entry #471:

Named after a file name it creates on the infected machine (b1t), the XOR encryption operation, and a RC4 key length of 20 bytes, B1txor20 is a new botnet spotted in the wild.

B1txor20 creates a DNS tunnel to communicate stealthily with its Command & Control server. DNS Tunneling, covered in our Daily Diary #391, is an old technique used by malware since the early 2000, very effective in hiding malicious traffic as DNS queries.

About its capabilities, B1txor20 can be considered a backdoor, operating as a reverse shell, as a proxy, executing remote commands, and even installing a specific rootkit named M3T4M0RPH1N3.ko. On some attacks, it was found using the Log4j vulnerability - covered in multiples of our Daily Diaries - to gain initial access into Linux systems.

Curiously, the B1txor20 C2 domain was registered 6 years ago. This means that this botnet could have remained undiscovered for some time. When using DNS tunneling, no connection is opened directly to the attacker's server. However, when B1txor20 fails to send data via a public or a local DNS (or if the attackers prefer), it will send directly to the C2 server.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220316/ee9f6472/attachment.htm>

More information about the MART mailing list