B1txor20

Malware

⚠️ Overview

B1txor20 is a custom backdoor trojan first identified by Trend Micro in August 2021, used by the Chinese-speaking advanced persistent threat group Earth Berberoka (TA428) for cyber espionage against government and education sectors in Southeast Asia and Taiwan. It belongs to the remote access trojan category and derives its name from its single-byte XOR encryption routine.

🔧 Technical Capabilities

B1txor20 communicates over HTTP using XOR-encrypted payloads and achieves initial access via spear-phishing emails exploiting CVE-2021-40444 (Microsoft Office vulnerability) or malicious macro documents. Persistence mechanisms include scheduled tasks and Registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware uses process injection to evade detection, can download additional modules, and exfiltrates system information and keystrokes. Lateral movement is performed using PsExec and WMI, while evasion relies on string obfuscation with XOR and mimicking legitimate browser User-Agent strings.

📜 History & Notable Incidents

First appearing mid-2021, B1txor20 was documented in Trend Micro’s September 2021 report on Earth Berberoka attacks against Taiwanese academic institutions and government agencies. Subsequent 2022 campaigns targeted telecommunications and healthcare in the Philippines and Vietnam, delivered via the group’s custom loader. No major law enforcement actions have been reported as of 2023.

🔍 Detection Indicators

Known SHA256 hashes include 5a8e2c1b... from Trend Micro reports. Behavioral indicators include HTTP POST requests to malicious domains with base64-encoded URL parameters and creation of the mutex “B1txor20_Mutex”. Network IOCs involve C2 IP addresses associated with Earth Berberoka infrastructure (e.g., 103.56.164.0/24) and User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”.

☠️ Risk & Impact

B1txor20 enables persistent data exfiltration of sensitive documents and credentials, with high impact on government, education, and critical infrastructure sectors across Southeast Asia. Prolonged compromise allows attackers to steal intellectual property and disrupt operations, though direct financial losses are not publicly quantified due to the espionage-focused nature.

🛡️ Mitigation

Mitigation includes patching CVE-2021-40444, enabling EDR with behavioral analysis of process injection, blocking Earth Berberoka C2 domains from Trend Micro threat feeds, and enforcing multi-factor authentication and email security to prevent spear-phishing. Network segmentation limits lateral movement via PsExec and WMI.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.