A new attack campaign that infosec researchers believe to be still ongoing is targeting Linux endpoints and servers. The operation deploys a never-before-seen threat called RedXOR malware. The threatening tool embeds itself into the compromised system, creates a backdoor channel, and gives broad control over the device to the threat actor.
RedXOR exhibits an extremely focused design that makes it unsuitable for attacks against a broader set of targets. Instead, the threat is created to remain invisible on a few strategically selected victims, as it needs to be compiled for the specific kernel version that is running on the chosen system. So far, the initial breach point for RedXOR malware has not been found but researchers note that when deployed the threat can perform a wide range of threatening activities. It can browse and manipulate the file system, fetch additional files, exfiltrate collected data, run web shells, or tunnel network traffic to a chosen destination. Furthermore, RedXOR has the capability to update itself. This functionality allows the hackers to install new versions if they believe the current one is about to be detected increasing the chances for avoiding discovery.
The RedXOR Malware exhibits some striking similarities to the malware tools of the Chinese-backed APT (Advanced Persistence Threat) Winnti Group (APT 41). The overlaps between RedXOR and Winnti's arsenal include the coding language for the threats, the employed open-source kernel rootkits, and the use of the XOR cipher for data-encoding. It is entirely possible for a different group to have mimicked the techniopen-source kernel rootkits, and the use of the XOR cipher for data-encoding. It is entirely possible for a different group to have mimicked the techniques of Winnti. However, the researchers at Intezer who analyzed RedXOR, believe that such a new threat actor will most likely also have ties to the Chinese government.