Log4j 2 is a Java logging library that is open source and extensively used in a variety of software applications and services throughout the world. The Log4j vulnerability gives threat actors the potential to take control of any Java-based, internet-facing server and launch Remote Code Execution (RCE) attacks.

What Happened?

A newly found botnet, that is still in active development, targets Linux computers, seeking to entangle them into an army of bots ready to steal sensitive information, install rootkits, create reverse shells, and operate as web traffic proxies while they are online.

The newly discovered virus, named B1txor20 by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), primarily targets Linux ARM and X64 CPU architecture systems, according to the researchers.

A vulnerability in the Apache Log4j logging library is used by the botnet to infect new computers, making it a particularly enticing attack vector since hundreds of manufacturers utilize the vulnerable Apache Log4j logging library.

The researchers discovered a total of four malware variants, each of which had a backdoor, a SOCKS5 proxy, malware downloading, data theft, arbitrary command execution, and rootkit-installing capabilities, among other features.

This virus is unique in that it makes use of DNS tunneling for communication channels with its command-and-control (C2) server, an ancient but still reliable approach used by threat actors to abuse the DNS protocol in order to tunnel malware and data via DNS requests.

As BleepingComputer reports, a DNS request is sent to the C2 server with the stolen sensitive information, command execution results, and any additional information that has to be transmitted, all of which has been hidden using special encoding methods, according to the researchers.

Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.


Researchers from 360 Netlab also discovered that despite the malware’s makers incorporating a more extensive set of functions, not all of them were activated.

That the deactivated features are still problematic is most likely a hint that B1txor20’s developers are still working on improving them so that they can be toggled back on at a later point.

An additional section of the 360 Netlab reports contains additional information, including  Indicators of Compromise (IOCs) and a list of all C2 commands that have been tested and are supported.

Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab’s honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name “b1t”, the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit.

Another interesting point is that we found that many developed features are not put into use (in IDA, there is no cross-reference); some features have bugs. we presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20’s siblings in the future.


Among other things, the researchers discovered threat actors leveraging the Log4J security hole to infect susceptible Linux machines with the Mirai and Muhstik Linux malware in December of last year.

These botnets have been seen “recruiting” Internet of Things devices and servers, which they then use to install crypto miners and launch large-scale DDoS assaults.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

What Is DNS Tunneling, and How to Detect and Prevent It

A List of Vulnerable Products to the Log4j Vulnerability

All You Need to Know About the New Zero-Day Found in the Log4j Java Library

What Is a Botnet & How to Prevent Your PC From Being Enslaved

Leave a Reply

Your email address will not be published. Required fields are marked *