Researchers on Tuesday found a honeypot system capture an unknown executable and link (ELF) format Linux file propagating through a Log4j vulnerability.
In a blog post, 360Netlab researchers say that the network traffic generated by this sample triggered a DNS Tunnel alert in their system. The researchers investigated further and found a new botnet family which they named B1txor20 based on it using the file name “b1t,” the XOR algorithm, and the RC4 algorithm key length of 20 bytes.
The researchers said the new botnet is a backdoor for the Linux platform, tools that are easy to deploy in cloud environments. B1txor20 is capable of stealing sensitive data, installing rootkits, and creating reverse shells, when an attacker waits for a victim to initiate an outgoing connection.
Seeing a new botnet family leveraging the Log4j vulnerability and DNS tunneling for communication is interesting, but not unexpected, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said malware authors are known for quickly developing new strains to leverage recent vulnerabilities and combining different techniques to try and avoid detection.
“Fortunately, DNS tunneling is relatively easy to detect and multiple tools exist that can disrupt an attacker’s use of DNS for command and control,” Parkin said. “It’s easy to deploy these tools in a cloud environment as well as on-premises, and some form of DNS protection should be considered a best practice. While that wouldn’t stop the initial infection, it would effectively contain the breach since the attacker won’t be able to control the victim system. This new botnet does reinforce the need to patch for the Log4J vulnerability, and make sure the organization has the tools and capabilities to manage this kind of risk in their environment.”
This is a pretty thoughtfully designed piece of malware, said Casey Ellis, founder and CTO at Bugcrowd. Ellis said B1txor20 seems like it has been tailored towards targeting vulnerable Log4J instances inside Linux data centers which have otherwise been hardened.
"Limiting outbound connections is one of the key mitigations for Log4Shell, but DNS tunneling is a fairly reliable way to get around this type of control where it exists, and the SOCKS5 updater can achieve this goal as well," Ellis said. "Aside from finding and patching Log4j wherever possible, monitoring and restricting outbound DNS requests is the only practical defense for this."