Security News > 2022 > March > New "B1txor20" Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw
First observed propagating through the Log4j vulnerability on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control servers by encoding data in DNS queries and responses.
B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a SOCKS5 proxy, and functions to upload sensitive information back to the C2 server.
Once a machine is successfully compromised, the malware utilizes the DNS tunnel to retrieve and execute commands sent by the server.
"Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request," the researchers elaborated.
"After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol."
A total of 15 commands are implemented, chief among them being uploading system information, executing arbitrary system commands, reading and writing files, starting and stopping proxy services, and creating reverse shells.
News URL
https://thehackernews.com/2022/03/new-b1txor20-linux-botnet-uses-dns.html
Related news
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- MikroTik botnet uses misconfigured SPF DNS records to spread malware (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)