Linux Botnet B1txor20 Uses DNS Tunneling and Log4j Vulnerability

Security experts from Qihoo 360 have reported the emergence of a new botnet named B1txor20. This malware, still under development, targets Linux systems (ARM, x64), turning them into a network of bots capable of stealing confidential information, installing rootkits, creating reverse shells, and acting as proxy servers for third-party traffic.

Researchers first discovered B1txor20 on February 9, 2022, when the initial sample attacked one of their honeypots. In total, specialists analyzed four samples of the malware, all of which featured backdoor functionality, SOCKS5 proxy server capabilities, the ability to download additional malicious software, steal data, execute arbitrary commands, and install rootkits.

Key Features of B1txor20

One of the distinguishing features of B1txor20, according to analysts, is its use of DNS tunneling to communicate with its command-and-control server. This is an old but still reliable method used by cybercriminals to transmit malware and data through DNS queries.

“The bot sends stolen information, command execution results, and any other data to the command server, first hiding them using specific encoding methods within DNS queries,” the researchers explain. “After receiving such a request, the command server sends a payload back to the bot as a response. In this way, the bot and the command server communicate using the DNS protocol.”

Researchers note that the malware developers have included a wide range of features in B1txor20, some of which are currently inactive. This likely indicates that the malware is still in development, and the disabled features may still contain bugs.

Exploiting the Log4Shell Vulnerability

The malware is also actively exploiting the Log4Shell vulnerability, discovered in mid-December 2021. The bug was found by developers at the Apache Software Foundation, who released an emergency security update to fix the zero-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Project. The urgency was due to the fact that security specialists quickly began publishing public proof-of-concept exploits, explaining that the bug could be exploited remotely without requiring advanced technical skills.

Although, according to recent data, attackers are gradually losing interest in Log4Shell after a wave of attacks, dozens of vendors still use the vulnerable library in their products. The issue has also been adopted by “government hackers” linked to authorities in China, Iran, North Korea, and Turkey, as well as access brokers whose services are often used by ransomware groups.