Security News > 2022 > March > New Linux botnet exploits Log4J, uses DNS tunneling for comms

New Linux botnet exploits Log4J, uses DNS tunneling for comms
2022-03-15 20:22

The newly found malware, dubbed B1txor20 by researchers at Qihoo 360's Network Security Research Lab, focuses its attacks on Linux ARM, X64 CPU architecture devices.

The botnet uses exploits targeting the Log4J vulnerability to infect new hosts, a very appealing attack vector seeing that dozens of vendors use the vulnerable Apache Log4j logging library.

What makes the B1txor20 malware stand out is the use of DNS tunneling for communication channels with the command-and-control server, an old but still reliable technique used by threat actors to exploit the DNS protocol to tunnel malware and data via DNS queries.

"After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol."

"Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar," 360 Netlab researchers added.

In December, they spotted threat actors exploiting the Log4J security flaw to infect vulnerable Linux devices with Mirai and Muhstik Linux malware.


News URL

https://www.bleepingcomputer.com/news/security/new-linux-botnet-exploits-log4j-uses-dns-tunneling-for-comms/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232