In 2020, new malware families targeting Linux systems are being discovered on a regular basis. One of these malwares is RedXOR that has been discovered by Intezer. This undocumented backdoor targeting Linux systems is masqueraded as polkit daemon.
Key similarities between RedXOR and Winnti
Based on tactics, techniques, and procedures (TTPs) the backdoor is believed to be developed by Chinese nation-state actors. They uncovered key similarities between RedXOR and previously reported malware associated with Winnti umbrella threat group.
Dr. Joakim Kennedy, a security researcher at Intezer published a blog post on RedXOR, saying,
“The samples are compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, hinting that RedXOR is used in targeted attacks against legacy Linux systems. Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and crypto miners, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”
Intezer also released recommendations for detecting and responding to this threat. You should take the following steps, if you are a victim:
- Kill the process and delete all files related to the malware.
- Make sure your machine is clean and running only trusted code using a Cloud Workload Protection Platform like Intezer Protect.