A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.
Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.
Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.
However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.
Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.
Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.
XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.
The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,
As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.
Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.
A list of C2 domains that were registered and used by the threat actors is as follows:
| C2 Domains | Name Server | C2 Subdomains | IP Addresses | Autonomous System |
| xxxatat456[.]com | name-services[.]com | aaa.xxxatat456[.]comb12.xxxatat456[.]comppp.xxxatat456[.]comwww.ppp.xxxatat456[.]comwww.xxxatat456[.]com | 142.0.138[.]41142.0.138[.]42142.0.138[.]43142.0.138[.]44142.4.106[.]73142.4.106[.]75192.74.236[.]33192.74.236[.]34192.74.236[.]35 | 54600 |
| gggatat456[.]com | name-services[.]com | aaa.gggatat456[.]comppp.gggatat456[.]comwww1.gggatat456[.]comwww.ppp.gggatat456[.]com | 142.0.138[.]41142.0.138[.]42142.0.138[.]43142.4.106[.]73142.4.106[.]74142.4.106[.]75142.4.106[.]76192.74.236[.]33192.74.236[.]34192.74.236[.]35192.74.236[.]36 | 54600 |
| lpjulidny7[.]com | domaincontrol[.]com | p0.lpjulidny7[.]comp2.lpjulidny7[.]comp3.lpjulidny7[.]comp4.lpjulidny7[.]comp5.lpjulidny7[.]com | 34.98.99[.]30 | 396982 |
| dddgata789[.]com | domaincontrol[.]com | ddd.dddgata789[.]comp5.dddgata789[.]com | N/A | N/A |
Source: Palo Alto Unit42
Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…