B1txor20 is assembling its army of bot on Linux machines. It is exploiting the
Log4j vulnerable systems to gain access and maintain foothold. Netlab 360 named it B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. It appears to be in active development. It has the ability to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. B1txor20 uses DNS Tunnel to establish command and control channel, support direct connection and relay, while using ZLIB compression, RC4 encryption, BASE64 encoding to protect the traffic of the backdoor Trojan.
B1txor20 Signatures
Family: Linux/BitXo.A!tr
MD5: 43fcb5f22a53a88e726ebef46095cd6b
SHA256: 7a9981c972ca335b90a13cce275d0d08328ea64c5369287f1bb0c0a0f996b223
B1txor20 Download