A previously unknown backdoor targeting Linux systems has been discovered, acting as a conduit to connect machines to a botnet then download and install rootkits. The malware was named B1txor20 because it spread using the b1t filename, the XOR encryption algorithm, and a key length of 20 bytes in the RC4 algorithm. The malware was discovered spreading via the ‘Log4j’ vulnerability for the first time on February 9, 2022. It uses a technique known as DNS tunnelling to establish communication channels with command and control(CC) servers by encoding data in DNS queries and responses.

It is also stated that the malware actively exploits the ‘Log4Shell’ vulnerability, which was discovered in mid-December last year. Found by Apache Software Foundation developers who have released an emergency security update that fixes a zero-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Project.

Despite several shortcomings, 'B1txor20' should still be considered a serious threat since it currently supports functions such asobtaining a shell, executing arbitrary commands, installing a rootkit, opening a SOCKS5 proxy, and restoring sensitive information to the C2 server. When malware successfully compromises a machine, it uses the DNS tunnel to receive and execute commands sent by the server. After covering up the stolen sensitive information, command execution results, and other information with specific coding techniques, the bot sends a DNS request to C2. In response to the DNS request, C2 sends the payload to the Bot side. Bot and C2 communicate using the DNS protocol in this manner.

The malware is able to load system information, execute arbitrary system commands, read and write files, start or stop proxy services, and create reverse shells.


Users who choose to integrate the ‘DNS and Security Gap Visibility’ solution in to their current EDR solution, are able to detect the specific applications that send queries to these suspicious domains. In other words, the files, executables, and applications infected as a result of the ‘Log4J’ vulnerability can be identified directly.

Ready to get started?

Start your free 14-days trial

Try Roksit free. No credit card required.