The XorDDoS Trojan campaigns compromised Linux devices to form a globally distributed botnet used for DDoS attacks, orchestrated through a resilient C2 network that migrated from dedicated resources to legitimate public hosting. The analysis covers attacking behaviors, C2 infrastructure, persistence, and new detection signatures. #XorDDoS #LinuxXorDDoS
Keypoints
- The XorDDoS Trojan infects Linux devices and converts them into botnet zombies for remote task execution and DDoS campaigns.
- The 2023 campaign (July–August) moved C2 hosting to public hosting services while keeping the attacker domains the same, increasing infrastructure resilience.
- Attackers conducted HTTP vulnerability scanning (including attempts to access /etc/passwd) and used SSH brute-forcing to gain initial access before deploying malware.
- The malware uses an XOR key (BB2FA36AAA9541F0) to encrypt execution data and decrypts embedded strings, with CRC-based integrity checks for C2 communication.
- C2 domains are decrypted from the binary, DNS queries resolve to C2 IPs via 8.8.8.8/8.8.4.4, and the campaign uses multiple domain/subdomain pairs across a set of IPs in the United States.
- Persistence is achieved via scheduled autorun tasks (every three minutes) and a startup service, plus self-replication with many ELF variants to evade hash-based detection across industries worldwide.
- Paired with DNS and URL filtering, the authors highlight the importance of multi-entity network signatures to detect C2 activity that single-entity checks miss.
MITRE Techniques
- [T1190] Exploitation of Public-Facing Application – Scanned for vulnerabilities and attempted to access /etc/passwd via HTTP-facing services. ‘they probed whether a prospective victim’s machine hosted an HTTP service susceptible to directory traversal’
- [T1110] Brute Force – SSH brute-force attack used to gain initial access. ‘they gained initial access through SSH brute-force attack’
- [T1105] Ingress Tool Transfer – Mobile malware downloaded from remote servers and deployed on victim machines. ‘downloaded malware from remote servers and deployed it on the victim machines’
- [T1027] Obfuscated/Encrypted Files and Information – XOR encryption of execution data. ‘uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the data related to its execution’ and ‘decrypt_remotestr()’ for domain decryption
- [T1082] System Information Discovery – Collects OS version, malware version, memory status, CPU info, and a 32-byte magic string for C2. ‘collects essential information… This string is a 32 bytes long identifier that represents the compromised device while connecting with the C2 server’
- [T1071.004] Application Layer Protocol: DNS – Uses DNS (8.8.8[.]8; 8.8.4[.]4) to resolve C2 domains. ‘DNS servers 8.8.8[.]8 and 8.8.4[.]4 to resolve the IP address of the C2 domain names’
- [T1053.005] Cron – Creates scheduled autorun tasks every three minutes and configures startup services. ‘scheduled autorun tasks that trigger malware execution every three minutes’
- [T1036] Masquerading – Hides as a legitimate process and runs as a background service to evade termination signals. ‘disguise itself as a legitimate process’
Indicators of Compromise
- [IPs] Command and Control Infrastructure – 23.252.167[.]35, 34.98.99[.]30, and other IPs (context: C2 hosts and activity)
- [Domains] Domains used for C2 – 0o557[.]com, dddgata789[.]com, lpjulidny7[.]com (context: root and subdomain C2 hostnames)
- [File hashes] XorDDoS Binaries – b8c4d68755d09e9ad47e0fa14737b3d2d5ad1246de5ef1b3c794b1339d8fe9f8, 265a38c6dee58f912ff82a4e7ce3a32b2a3216bffd8c971a7414432c5f66ef11 (context: binary samples)
Read more: https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/