A new campaign utilizing the XorDDoS Trojan has recently surfaced, posing a major threat to Linux systems and devices. This Trojan has the ability to transform compromised systems into zombies, enabling threat actors to control them remotely. These controlled systems can then be used to carry out Distributed Denial-of-Service (DDoS) attacks.
Upon comparing this current campaign with a similar campaign conducted back in 2022, only one change was identified, which pertains to the configuration of the command-and-control (C2) hosts. What remains unchanged are the attacking domains. However, instead of relying on their own infrastructure, the threat actors behind this campaign have shifted to utilizing hosts running on legitimate public hosting services. This change in strategy suggests an attempt to evade detection and continue their malicious activities.
Despite many security vendors classifying the C2 domains from the 2022 campaign as malicious and blocking them, the current active malware traffic is now being directed to new IP addresses. This demonstrates the adaptability and persistence of the threat actors behind the XorDDoS campaign.
In terms of the initial access vector employed in this campaign, the threat actors targeted hosts with vulnerable directory traversal attacks that allow access to arbitrary files on the server. Specifically, they focused on extracting passwords from the /etc/passwd file. However, since this file only contains encrypted passwords, the threat actors had to resort to SSH brute-force attacks to gain initial access. Once access was obtained, they downloaded the XorDDoS malware from remote servers, effectively taking control of the compromised system.
The XorDDoS Trojan utilizes an XOR encryption key (BB2FA36AAA9541F0) to encrypt all execution-related data, which can then be decrypted using a decryption function. Once activated on a victim’s machine, the malware retrieves crucial information such as the OS version, malware version, memory status, and CPU information. It also employs a decryption function, decrypt_remotestr(), to decrypt the C2 domains embedded within the executable.
The campaign has been documented in a comprehensive report published by Unit42 of Palo Alto Networks. This report provides detailed insights into the campaign, including code analysis, obfuscation techniques, and other relevant information.
To maintain persistence on the compromised systems, the XorDDoS Trojan creates scheduled autorun tasks that run every three minutes, alongside an autorun service configured during startup. Additionally, the malware disguises itself as a legitimate process by turning its process into a background service, enabling it to evade detection.
The threat actors behind this campaign registered and utilized several C2 domains. Some of the known domains include xxxatat456[.]com, gggatat456[.]com, lpjulidny7[.]com, and dddgata789[.]com. These domains were associated with various name servers, C2 subdomains, IP addresses, and autonomous systems. A complete overview of the C2 network infrastructure can be found in the report published by Palo Alto Unit42.
In order to protect against vulnerabilities associated with the XorDDoS Trojan and other threats, it is crucial for organizations to implement robust security measures. This includes regularly patching software and promptly applying security updates. Utilizing advanced email security solutions such as Trustifi can also play a vital role in securing businesses against dangerous email threats.
The XorDDoS campaign serves as a reminder of the ever-present cybersecurity challenges faced by Linux systems and devices. As threat actors continue to evolve their techniques and employ sophisticated malware, it is imperative for organizations to remain vigilant and prioritize cybersecurity measures to mitigate the risks posed by such campaigns.