A recently discovered and actively gaining momentum botnet attacks Linux devices in order to create an army of bots ready to steal information, install rootkits, create reverse shells and perform proxy functions.
The new malware, named B1txor20 by the Qihoo 360 Network Security Research Lab (360 Netlab) specialists who discovered it, attacks Linux devices with ARM, x64 architectures.
The botnet started exploiting a vulnerability in the Log4J logging utility called Log4Shell . Researchers first discovered it on February 9, 2022, when the malware got into one of their honeypots. In total, experts “caught” four samples of malware with a backdoor and a SOCKS5 proxy, as well as with the functions of downloading malware, stealing data, executing arbitrary commands and installing a rootkit.
B1txor20 differs from other botnets in that it uses DNS tunneling to communicate with the C&C server – an old but reliable way of using the DNS protocol to tunnel malware and data through DNS queries.
Although the malware is equipped with a wide range of functions, not all of them are activated. Most likely, inactive functions are still working with errors, and developers are still improving them.
Since the disclosure of the Log4Shell vulnerability, more and more hackers have been exploiting it in their attacks, including groups associated with the governments of China, Iran, North Korea and Turkey. In December last year, experts discovered that the vulnerability was used to infect Linux devices with Mirai and Muhstik malware. These botnets attacked IoT devices and servers to install cryptocurrency miners on them and carry out DDoS attacks.