Security News > 2022 > March > New Linux botnet exploits Log4J, uses DNS tunneling for comms
The newly found malware, dubbed B1txor20 by researchers at Qihoo 360's Network Security Research Lab, focuses its attacks on Linux ARM, X64 CPU architecture devices.
The botnet uses exploits targeting the Log4J vulnerability to infect new hosts, a very appealing attack vector seeing that dozens of vendors use the vulnerable Apache Log4j logging library.
What makes the B1txor20 malware stand out is the use of DNS tunneling for communication channels with the command-and-control server, an old but still reliable technique used by threat actors to exploit the DNS protocol to tunnel malware and data via DNS queries.
"After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol."
"Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar," 360 Netlab researchers added.
In December, they spotted threat actors exploiting the Log4J security flaw to infect vulnerable Linux devices with Mirai and Muhstik Linux malware.
News URL
Related news
- Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign (source)
- BootKitty UEFI malware exploits LogoFAIL to infect Linux systems (source)
- New botnet exploits vulnerabilities in NVRs, TP-Link routers (source)
- FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- MikroTik botnet uses misconfigured SPF DNS records to spread malware (source)