Rewterz Threat Alert – Kimsuky APT Group – Active IOCs
March 21, 2022Rewterz Threat Update – Transneft Data Leaked by Anonymous – Russian-Ukrainian Cyber Warfare
March 21, 2022Rewterz Threat Alert – Kimsuky APT Group – Active IOCs
March 21, 2022Rewterz Threat Update – Transneft Data Leaked by Anonymous – Russian-Ukrainian Cyber Warfare
March 21, 2022Severity
Medium
Analysis Summary
B1txor20 is a linxu-based backdoor which builds C2 communication channels using DNS Tunnel Technology. Along with its traditional backdoors, it also has functions like Socket5 proxy and remote installation and downloading rootkits. Since it is a fairly new backdoor, there are still some bugs present in the backdoor. The backdoor uses ZLIB compression, Base64 encoding, and RC4 encryption to protect it’s traffic. The main features currently supported are shown below.
- SHELL
- Proxy
- Execute arbitrary commands
- Install Rootkit
- Upload sensitive information
Basic Flowchart from Netlab.
Impact
- Information Theft and Espionage
- Exposure of Sensitive Data
Indicators of Compromise
IP
- 194[.]165[.]16[.]24
URL
- http[:]//179[.]60[.]150[.]23[:]8000/xExportObject[.]class
- http[:]//194[.]165[.]16[.]24[:]8229/b1t_1t[.]sh
- http[:]//194[.]165[.]16[.]24[:]8228/b1t
- http[:]//194[.]165[.]16[.]24[:]8228/_run[.]sh
- http[:]//194[.]165[.]16[.]24[:]8229/b4d4b1t[.]elf
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.