Xorbot is a stealthy, from-scratch botnet with strong concealment and encrypted C2 communications, designed to evade mainstream AV detection. It uses junk code to inflate its footprint, hides its persistence, and can perform DDoS attacks while maintaining a covert, feedback-driven botnet network including Linux/macOS-compatible variants.
#xorbot #NSFOCUS #Mirai
#xorbot #NSFOCUS #Mirai
Keypoints
- Xorbot is described as a fast-growing botnet family built from scratch with a brand-new architecture and strong concealment.
- The authors highlight extensive junk code added to inflate file size and complicate detection, with detection rates near zero.
-
MITRE Techniques
- [T1053.005] Cron – Persistence via crontab; “Add scheduled task” is shown in the article’s figure caption.
- [T1036] Masquerading – Disguising the malicious file name as “ld-unixdev.so.6.”
- [T1027] Obfuscated/Encrypted Files and Information – Junk codes to mask malicious branches and encryption/decryption using XOR; “The encryption and decryption algorithm is implemented by multiple exclusive OR operations.”
- [T1071] Application Layer Protocol – C2 communications; “When interacting with C&C, they will encrypt the data to be sent before sending it.” and “After receiving the command from the server, it will also be decrypted by this algorithm before use.”
- [T1082] System Information Discovery – Collected system information is reported as JSON and transmitted after encryption; “The collected system information data is organized in json format and then encrypted for transmission.”
- [T1499] Denial of Service – DDoS modes supported; “Table 1 DDoS attack modes supported by xorbot” with gre_flood, udp_flood, tcp_flood, syn_flood, ack_flood.
Indicators of Compromise
- [IP] 203.55.81.214 – In IOC context of the article.
- [Hash] 073202212CCF6A58EBC04E33D5B90833
- [Hash] 598E8D8D2AEBA46DDBD9155480FEA972
Read more: https://nsfocusglobal.com/xorbot-a-stealthy-botnet-family-that-defies-detection/