Qihoo 360’s Netlab security team reported that, “Based on its propagation using the file name ‘b1t,’ the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. A previously unknown backdoor has been discovered that targets Linux systems with the objective of enlisting the computers in a botnet and functioning as a channel for rootkit download and installation.”
The malware uses a technique known as DNS tunnelling to construct communication channels with C2 servers by encrypting data in DNS queries and responses. It was first discovered spreading through the Log4j vulnerability on February 9, 2022.
B1txor20 presently offers the ability to gain a shell, execute arbitrary commands, install a rootkit, open a SOCKS5 proxy, and post sensitive information back to the C2 server, while being unstable in certain areas.
Once a machine has been successfully hacked, the malware uses the DNS tunnel to receive and execute server commands. Uploading system information, running arbitrary system commands, reading and writing files, initiating and terminating proxy services and constructing reverse shells are among the 15 commands implemented.
Finally the researchers concluded that ,” Bot provides stolen sensitive information, command execution results, and any other information that has to be provided to C2 as a DNS request, after disguising it using certain encoding techniques. C2 transmits the payload to the Bot side as a response to the DNS request after receiving the request. Bot and C2 are able to communicate using the DNS protocol in this fashion.“