Welcome to the VB2021 conference!

arrow left Back

Shades of Red: RedXOR Linux backdoor and its Chinese origins

Avigayil Mechtinger (Intezer) & Joakim Kennedy (Intezer)
2020 set a record for new Linux malware families. New malware targeting Linux systems are being discovered on a regular basis. Backdoors attributed to advanced threat actors are disclosed less frequently.

In this talk, we will share a technical analysis of a newly uncovered backdoor we named RedXOR and explain why it is likely attributed to the Winnti umbrella. We will also touch upon the Linux threat landscape and how Linux malware find their way to compromised servers.

As well as understanding RedXOR malware, which is among the most sophisticated Linux malware discovered in the past year, attendees of this talk will gain knowledge about Winnti Linux TTPs and ELF malware analysis.
Avigayil Mechtinger

Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware Analysis 101 series, to make ELF analysis approachable for beginners. Prior to joining Intezer, Avigayil was a cyber analyst in Check Point's mobile threat detection group.

Joakim Kennedy

Dr Joakim Kennedy is a security researcher for Intezer. On a daily basis he analyses malware, tracks threat actors, and solves security problems. His work is mainly focused on threats that target Linux systems and cloud environments. Dr Kennedy began in the industry as a security researcher at Rapid7, where he got his start in vulnerabilities research. Following his time with Rapid7, he joined Anomali. Whilst there, he managed Anomali's Threat Research Team, where they focused on creating threat intelligence. Dr Kennedy has been a featured speaker at multiple BSides events and at the CCB's Quarterly Cyber Threat Report Event. He has also presented at various other industry events. For the last few years, Dr Kennedy has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.