The researchers of Qihoo 360’s Network Security Research Lab, 360 Netlab, have found a new malware and named it B1txor20. The new malware uses the infamous Apache Log4j vulnerability to spread to new hosts.
It uses DNS tunneling to communicate with C2
Researchers of 360 Netlab have managed to capture four of the B1txor20 malware, beginning from the 9th of February. The captured malware has its backdoor, SOCKS5 proxy, malware downloading, arbitrary command execution, and rootkit installing capabilities. It is also able to upload sensitive information. The most interesting point of B1txor20 is the DNS concealing capability while communicating with the C2 server. It uses the DNS tunneling technique to get the malware and the data.
360 Netlab researchers also state that the B1txor20 malware has more capabilities, but they are not enabled since they might still be under development and bugged. You can see the schema of the B1txor20 attacks created by 360 Netlab below:
The malware focuses on ARM-based Linux devices as well as the ones with the X64 CPUs. The interesting name of the malware comes from the file name it uses, b1t, the encryption algorithm it uses, XOR, and the RC4 algorithm key length, 20 bytes. You can see the full technical details of the B1txor20 malware by following the link below: