A new Linux backdoor that is deployed through Log4Shell security vulnerabilities and communicates with command and control servers (C&C) using the DNS tunnelling method has been detected by Netlab 360 security researchers.
In the researchers’ analyses, it has been observed that the backdoor called “B1txor20” targets systems with Linux ARM X64 CPU architecture, spreads through Apache Log4Shell vulnerabilities detected towards the end of 2021, and uses DNS tunnel technology to create a C&C communication channel. In addition to traditional backdoor functions, B1txor20 also enables Socket5 proxy, downloading Rootkit payloads from a remote server and performing data theft. Another critical factor detected related to malware is not using many advanced features. This shows that the developers of B1txor20 have developed and customized different functions according to different scenarios. The malware, which infects vulnerable systems, sends the captured sensitive information, command execution results, and other information that needs to be delivered to C&C servers as a DNS request after hiding it using specific coding techniques.
Since their disclosure, Apache Log4Shell vulnerabilities have been actively used by various threat actors such as many state-sponsored cyber threat groups and Ransomware gangs. So, a significant increase is observed in the number of malicious software that takes advantage of these vulnerabilities. In this context, it is recommended to immediately apply updates that fix vulnerabilities to systems vulnerable to Log4Shell vulnerabilities and ensure that the system/programs used are up-to-date. In addition essential to use reliable Anti-Virus/Anti-Malware solutions and block IoC findings related to malware from security solutions in use.