Friday, October 11, 2024
HomeCyber Security NewsXorDDoS Infects Linux Devices and uses them to Carry out DDoS Attacks

XorDDoS Infects Linux Devices and uses them to Carry out DDoS Attacks

Published on

Malware protection

A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.

Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.

Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.

- Advertisement - SIEM as a Service

However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.

Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.

Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.

XorDDoS Infects Linux Devices

XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.

The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,

  • ppp.gggatat456[.]com:53
  • ppp.xxxatat456[.]com:53
  • p5.dddgata789[.]com:53
  • P5.lpjulidny7[.]com:53
C2 decryption function
C2 decryption function (Source: Palo Alto Unit42)

Persistence

As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.

Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.

C2 Network Infrastructure

A list of C2 domains that were registered and used by the threat actors is as follows:

C2 DomainsName ServerC2 SubdomainsIP AddressesAutonomous System
xxxatat456[.]comname-services[.]comaaa.xxxatat456[.]comb12.xxxatat456[.]comppp.xxxatat456[.]comwww.ppp.xxxatat456[.]comwww.xxxatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.0.138[.]44142.4.106[.]73142.4.106[.]75192.74.236[.]33192.74.236[.]34192.74.236[.]3554600
gggatat456[.]comname-services[.]comaaa.gggatat456[.]comppp.gggatat456[.]comwww1.gggatat456[.]comwww.ppp.gggatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.4.106[.]73142.4.106[.]74142.4.106[.]75142.4.106[.]76192.74.236[.]33192.74.236[.]34192.74.236[.]35192.74.236[.]3654600
lpjulidny7[.]comdomaincontrol[.]comp0.lpjulidny7[.]comp2.lpjulidny7[.]comp3.lpjulidny7[.]comp4.lpjulidny7[.]comp5.lpjulidny7[.]com34.98.99[.]30396982
dddgata789[.]comdomaincontrol[.]comddd.dddgata789[.]comp5.dddgata789[.]comN/AN/A

Source: Palo Alto Unit42

Complete Network Infrastructure
Complete Network Infrastructure (Source: Palo Alto Unit42)

Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.

Indicators of Compromises (IOCs)

XorDDoS Binaries

  • b8c4d68755d09e9ad47e0fa14737b3d2d5ad1246de5ef1b3c794b1339d8fe9f8
  • 265a38c6dee58f912ff82a4e7ce3a32b2a3216bffd8c971a7414432c5f66ef11
  • 1e823ae1e8d2689f1090b09dc15dc1953fa0d3f703aec682214750b9ef8795f1
  • 989a371948b2c50b1d45dac9b3375cbbf832623b30e41d2e04d13d2bcf76e56b
  • 20f202d4a42096588c6a498ddb1e92f5b7531cb108fca45498ac7cd9d46b6448
  • 9c5fc75a453276dcd479601d13593420fc53c80ad6bd911aaeb57d8da693da43
  • ce0268e14b9095e186d5d4fe0b3d7ced0c1cc5bd9c4823b3dfa89853ba83c94f
  • aeb29dc28699b899a89c990eab32c7697679f764f9f33de7d2e2dc28ea8300f5

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...