Skip to main content

RedXOR Backdoor

First seen in early March 2021, RedXOR is a sophisticated backdoor tool targeting Linux servers and endpoints. Several of its functions and tactics appear to be taken from tools created by the Winnti APT group, suggesting it may be linked to them.

Threat ID:
CC-3792
Category:
Backdoor
Threat Severity:
Low
Published:
18 March 2021 1:03 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in early March 2021, RedXOR is a sophisticated backdoor tool targeting Linux servers and endpoints. Several of its functions and tactics appear to be taken from tools created by the Winnti APT group, suggesting it may be linked to them.

Affected platforms

The following platforms are known to be affected:

Versions: most popular distributions

Linux

Threat details

Introduction

RedXOR is a newly observed backdoor believed to be created or associated with the Winnti advanced persistent threat group

Delivery

At the time of publication, it is unclear how RedXOR is delivered.

Activities

Once installed, RedXOR will attempt to connect to a command and control (C2) server. Any responding C2 server will request RedXOR collects system and user information, which is sent back as an encrypted query-like string. If successful, RedXOR will await further commands. By default RedXOR is able to:

  • create, edit, move, delete, upload, or download files and folders
  • install loadable kernel modules
  • start a reverse shell
  • open network tunnels using the Rinetd redirect utility

 

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 34[.]92[.]228[.]216
  • 158[.]247[.]208[.]230

Domains

  • update[.]cloudjscdn[.]com
Host indicators

Filenames

  • po1kitd.ko
  • po1kitd-update.desktop
  • S99po1kitd-update.sh

Processes

  • po1kitd-update-k

SHA256 hashes

  • 0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
  • 0423258b94e8a9af58ad63ea493818618de2d8c60cf75ec7980edcaa34dcc919

Last edited: 18 March 2021 1:32 pm