RedXOR Backdoor Linked to Chinese Actor


Researchers discovered a new type of malware targeting and named it RedXOR. RedXOR creates a backdoor in the system, allowing the attacker to completely control the infected computer.

 The samples were uploaded from Indonesia and Taiwan, and the VT detection rate was extremely low. RedXOR has similarities with the malware used by the Winnti Group. Researchers believe that the malware was developed by China and believe that the attack is still ongoing.

RedXOR allows to browse files, upload and download files, steal data, deploy Web Shell or tunnel network traffic to another destination. The malware is designed to be “very secretive” and needs to be compiled for a specific kernel version running on the target computer, making it more suitable for attacking targets under specific conditions.

Chinese Actor

Researchers believe that there are key similarities between RedXOR and previously reported malware associated with the Winnti Group. These malwares are PWNLNX backdoor and XOR.DDOS and Groundhog.

Similarities between the samples:

  1. Use the old open source kernel rootkit: RedXOR uses an open source LKM rootkit called ” Adore-ng ” to hide its processes. Embedding the open source LKM rootkit is a common technology of Winnti.
  2. RedXOR used CheckLKM function names have also been used in PWNLNX and XOR.DDOS in.
  3. Provide a pseudo terminal for the operator: RedXOR uses the Python pty shell by importing the python pty library . PWNLNX implements the pty shell function in c.
  4. Use XOR to encode network data: The backdoor uses an XOR-based scheme to encode its network data. Previous Winnti malware (including PWNLNX) has used XOR to encode network data.
  5. Persistence service name: As part of its persistence method, RedXOR tries to create a service under rc.d. The developer added “S99” before the service name to lower its priority and make it run last when the system starts. This technique is used in the XOR.DDOS and Groundhog examples, where the malware developer adds “S90” to the service name.
  6. Main function flow: PWNLX and RedXOR have the main function responsible for initialization. In these two backdoors, the main function calls another function responsible for the main logic. The main logical function name of REDXOR is main_process , and PWLNX is MainThread .
  7. XML for file list: RedXOR’s directory function and PWNLNX’s getfiles function are both responsible for directory listing. However, their code flow implementations are different because both types of malware send directory listings as XML files to the server. The file data saved in XML is: path, name, type, user, permission, size, time.
  8. Old Red Hat Compiler: Both RedXOR and PWNLNX are compiled with Red Hat 4.4.7 compiler. This compiler is the default GCC compiler on RHEL6.
  9. Chown similarity: Both PWNLNX and RedXOR change the user and group owner of the file to a larger ID. The same technique has been used to pass in XOR.DDoS.
  10. Overall flow and function: RedXOR’s overall code flow, behavior and function are very similar to PWNLNX. Both have file upload and download functions and a running shell. The network tunnel function in both series is called “PortMap”.
  11. Unstripped ELF binary files: Malware developers often tamper with the symbols or sections of files, making it more difficult for researchers to analyze them. However, RedXOR and various Winnti malware (including PWNLNX and XOR.DDOS) were not deleted.
pwnlnx & redxor

The list of command by RedXOR:

0000System information
1010Install LKM
2049List folder
2054Upload file
2055Open file
2056Execute with system
2058Remove file
2060Remove folder
2062Create new folder
2066Write content to file
3000Start shell
3058Exec shell command
3999Close tty
4001Portmap (Proxy)
4002Kill portmap

Data collected and send to the C2 server

URL keyDescriptionComment
hostipIPHardcoded to
softtype Hardcoded to “Linux
pscaddrMAC address 
hostnameMachine name 
hosttarUsernamePossibly “host target”
hostosDistributionExtracted from /etc/issue or /etc/redhat-release
hostcpuClock speed/proc/cpuinfo
hostmemAmount of memory/proc/meminfo
hostpack Hardcoded to “Linux”
lkmtagIs rootkit enabled 
kernelKernel versionExtracted from uname


Process name

Created file/folder on disk