Threat Research

New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel

Securonix

B1txor20 is a Linux backdoor that uses DNS tunneling to build C2 channels, with features like a SOCKS proxy and remote rootkit installation. The article details its reverse analysis, BotID generation, DNS tunnel encoding/decoding, C2 communications, and a list of available commands. #B1txor20 #DNS_Tunnel #Rootkit #webserv_systems

Keypoints

  • B1txor20 is a Linux backdoor that uses DNS Tunnel to establish C2 channels and supports both direct connections and relays, with traffic protected by ZLIB compression, RC4 encryption, and BASE64 encoding, targeting ARM and x64 Linux.
  • The malware generates a BotID from /etc/machine-id, /tmp/.138171241, or /dev/urandom, then decrypts the domain and RC4 key to test DNS connectivity and contact C2.
  • C2 is identified as webserv.systems (194.165.16.24), with DNS-based registration and command delivery; connectivity tests involve DNS servers 8.8.8.8, 8.8.4.4, and 194.165.16.24:443.
  • The DNS tunnel constructs a tunnel domain name via a pre-construction format (0xFF separators) and then applies ZLIB, RC4, and Base64 to transmit information; final domain queries reveal BotID, Stage, and TaskInfo.
  • B1txor20 implements 14 C2 commands (e.g., beacon, upload info, reverse shell, install rootkit) and 15 functions, including 0x21 Reverse shell and 0x51 install M3T4M0RPH1N3.ko rootkit.

    • <liSeveral features are buggy or unused in some samples, and a notable observation is that the domain webserv.systems has a six-year registration window, indicating long-term C2 potential.

MITRE Techniques

  • [T1071.004] DNS – “using DNS Tunnel to establish communication with C2 and wait for the execution of the commands sent by C2.”
  • [T1027] Obfuscated/Compressed Files and Information – “ZLIB compression, RC4 encryption, and Base64 encoding” used to protect the traffic.
  • [T1059.004] Unix Shell – “0x21 Reverse shell” as part of remote command execution capabilities.
  • [T1090] Proxy – “Start proxy service” indicating traffic forwarding and proxy use for C2 communication.
  • [T1014] Rootkit – “install M3T4M0RPH1N3.ko rootkit” as a delivered capability.
  • [T1041] Exfiltration Over C2 Channel – “Upload system info” (and other data) via the C2 channel.

Indicators of Compromise

  • [Domain] C2 domain – webserv.systems; tunnel domain patterns such as KPvBKs8yqO1tTUQkCqGWN9anB4RAGWhnJy8A.dns.webserv.systems
  • [IP Address] C2/contact points – 194.165.16.24:53, 194.165.16.24:443
  • [MD5] Sample hashes – 0a0c43726fd256ad827f4108bdf5e772, 027d74534a32ba27f225fff6ee7a755f
  • [URL] Downloader endpoints – hxxp://194.165.16.24:8229/b1t_1t.sh, hxxp://194.165.16.24:8228/b1t
  • [URL] Additional downloader/file references – ldap://179.60.150.23:1389/o=tomcat, xExportObject.class
  • [Domain] Additional domain/resolution – webserv.systems (and derived dns.webserv.systems domains)
  • [IP] Surveillance/scanner data sample – 104.244.73.126, 185.220.101.134 (examples from the scanner list)

Read more: https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/