Summary:
XorBot, a new botnet family emerging in late 2023, has rapidly evolved into a significant threat targeting IoT devices, particularly those from Intelbras, TP-Link, and D-Link. With advanced anti-tracking features and a growing arsenal of DDoS attack methods, its operators are increasingly engaging in profitable operations. The botnetβs latest version, 1.04, showcases enhanced capabilities and a focus on stealth.
#XorBot #IoTSecurity #BotnetThreat
XorBot, a new botnet family emerging in late 2023, has rapidly evolved into a significant threat targeting IoT devices, particularly those from Intelbras, TP-Link, and D-Link. With advanced anti-tracking features and a growing arsenal of DDoS attack methods, its operators are increasingly engaging in profitable operations. The botnetβs latest version, 1.04, showcases enhanced capabilities and a focus on stealth.
#XorBot #IoTSecurity #BotnetThreat
Keypoints:
- XorBot first appeared in November 2023 and was disclosed by NSFOCUS in December 2023.
- Targets IoT devices, particularly Intelbras cameras and TP-Link/D-Link routers.
- Operators are offering DDoS attack rental services.
- The latest version of XorBot is 1.04, featuring significant updates and improvements.
- Utilizes multiple exploit methods to compromise devices.
- Employs advanced anti-tracking and stealth techniques.
- Supports various DDoS attack methods, including UDP, TCP, and HTTP.
- Maintains persistence by disguising itself as a legitimate system component.
- Utilizes social media platforms like Telegram for recruitment and promotion.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Exploitation for Client Execution (T1203): Exploits vulnerabilities in client applications to execute malicious code.
- Remote File Copy (T1105): Transfers files from a remote location to the compromised device.
- Persistence (T1547): Modifies system settings to ensure the Trojan runs on startup.
- Data Obfuscation (T1027): Uses encryption and obfuscation techniques to conceal malicious code and communications.
- Distributed Denial of Service (DDoS) (T1499): Executes DDoS attacks against targeted services or networks.
IoC:
- [File Name] conn.masjesu.zip
- [IP Address] 216.126.231.240
- [File Hash] 8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
- [File Hash] 12f0e9582f0a65984653f75466709743
Full Research: https://nsfocusglobal.com/alert-xorbot-comes-back-with-enhanced-tactics/