Linux botnet exploits Log4j flaw to hijack Arm, x86 systems • The Register

A new Linux botnet is using the infamous Log4j vulnerability to install rootkits and steal data.

Researchers from the 360 ​​Network Security Research Lab at Chinese internet security firm Qihoo discovered the family of botnets, which they dubbed B1txor20 because they infect hosts through the Log4j vulnerability. It mainly targets Linux Arm and 64-bit x86 systems. Compromised devices are commandeered and brought into the network as remote-controlled bots, hence the term botnet.

“In addition to traditional backdoor functions, B1txor20 also has functions such as opening a Socket5 proxy and remotely downloading and installing a rootkit,” the threat researchers wrote this week.

In total, 360 Netlab found four different B1txor20 samples which the team says provide 15 functions. In addition to those mentioned above, these include reading and writing files, starting and stopping proxy services, and running reverse shells on compromised machines. The nasty software is, we are told, designed primarily to receive and execute commands from its masters, and exfiltrate sensitive data.

They also noted that the malware did not use all of its nefarious features (such as downloading “/boot/conf-XXX” information), and that some of them had bugs. One of the buggy bits is removing the socket file after binding the domain socket, “which renders the socket unbindable and therefore the whole function is useless,” 360 Netlab noted.

However, threat researchers do not prevent criminals from using inactive features or fixing bugs in the future.

“We assume that the author of B1txor20 will continue to improve and open different features under different scenarios, so maybe we’ll meet B1txor20’s siblings in the future,” the security firm added.

Because the popular Apache Log4j logging library is so widely used among enterprise applications and cloud services, the remote code execution flaw has made it a particularly attractive security flaw for criminals. Since the Log4j vulnerability was disclosed late last year, several malware groups have taken advantage of this attack vector.

The 360 ​​Netlab researchers noted, “Elknot, Gafgyt, Mirai are all too familiar. B1txor20 is just the latest example of Log4j instances that are still vulnerable.

Here’s how the new botnet works. The malware uses DNS tunneling to establish command and control (C2) communications and conceal its backdoor traffic. Then the bots wait to execute the malicious commands sent by the C2 server.

As the security magazine explained:

And finally, in what they considered a “little note”, the researchers said that the domain name had been registered for six years, “which is rather unusual?” Or maybe it indicates excellent planning on the part of the disbelievers. ®

Source link

Steven L. Nielsen