XorDDOS Strikes Hard Once Again

The Cymulate research lab honeypot network recently detected a new variant of the XorDDOS malware. Our analysis of the XorDDOS payload, using various sources such as VirusTotal, helped us to identify the Command and Control (C&C) IP address. More concerning about the variant’s potential severity, we found indicators of the malware’s activity on a deployed machine. In addition, Intezer identified similar malware and code that contained the distinct string XorDDOS is known for “F”4YA/A”.

In recent years, XorDDOS has become a notorious malware family that targets Linux systems. Notable for the use of extensive scripting to implement itself after an initial compromise, this malware has shown great resistance to detection in its various variants. Originating in China, XorDDOS uses infected x86, x64, and ARM systems s to launch wide-scale Distributed Denial of Service attacks against other victims. The latest variant of the attack showcases continued innovation on the part of the threat actors, spawning new variants as existing forms come under closer scrutiny. It has successfully infected large numbers of systems, compromising their security and launching further attacks against others using the now “zombie” systems it succeeds in taking over.

Attack Phases

The XorDDOS malware has evolved significantly, utilizing a range of techniques to infect and persist on the targeted system. The attack phases include:

1. The malware persists itself using System V runlevels: The malware first attempts to persist itself using the System V runlevels, which are a standard initialization system used by UNIX and Linux distributions (though XorDDOS has so far targeted only Linux). This ensures that the malware is automatically started during the boot process.
2. It tries to persist itself using cron: The malware also tries to persist itself using cron, a time-based job scheduler in Unix-like operating systems including most distributions of Linux. Recent variants have created two shell script files, “/etc/cron.hourly/cqqbnzzu.sh” and “/etc/cron.hourly/obidhyb.sh”, which are executed every hour.
3. It writes shell script files to disk: The malware writes the shell script files to disk, which it uses to execute its various attack phases.
4. It deletes itself: To avoid detection, the malware deletes its installer scripting and files after completing its attack phases. Keeping in mind that the primary operation of XorDDOS is to act as a DDoS node once it successfully infects a device and therefore no longer needs the installers or install scripting.
5. It encodes data using XOR: In order to obfuscate its malicious code, the malware encodes its data using XOR.
6. It encrypts data using RC4 PRGA: The malware encrypts its data using RC4 PRGA, a symmetric key stream cipher, to further prevent detection by security software.
7. Contain obfuscated stackstrings: The malware contains obfuscated stackstrings, which makes it difficult to analyze.
8. It enumerates processes within the “proc” file system: The malware enumerates processes within the “proc” file system to gather information about the system.
9. It reads system information: The malware reads system information from the proc file system to determine the system’s kernel version.
10. It may try to detect virtual machines: Security researchers often use virtual machines in order to allow malware to execute for analysis without endangering other systems. In order to hinder this analysis, the malware may attempt to detect it is running on a VM; where artifact strings found in memory can reveal that the system is virtual.
11. It uses the “uname” system call to query kernel version information: The malware uses the “uname” system call to query kernel version information, to the purpose of this call is not entirely clear, but it may be an attempt to evade detection.
12. It queries for a number of processors:  As with the call for system information, this may be furthering attempts to avoid detection by limiting its operations to only a portion of the total resources available.
13. It downloads files from webservers via HTTP: The malware downloads files from webservers via HTTP to continue the installation of malicious files and launch further installation steps to begin its primary goal of using the system as a Denial of Service endpoint.

IOCs

The attack’s IOCs include several IP addresses, file hashes, and related malware families. The following are the IOCs:

http://203.205.254[.]157:80/lib.xlsx

http://qq[.]com/lib.xlsx

61.177.172[.]32

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 (ELF file)

Related samples

Intezer: https://analyze.intezer.com/analyses/80cb27cb-c901-4850-8d9f-42943fdd990a/sub/1bb60d9f-5e64-4d34-9c44-acbe45a682ea/related-samples

Related families

https://analyze.intezer.com/analyses/80cb27cb-c901-4850-8d9f-42943fdd990a/sub/1bb60d9f-5e64-4d34-9c44-acbe45a682ea/code-reuse

Strings reuse pattern

F”4YA/A

Conclusion

XorDDOS continues to be a major threat to Linux systems. The latest attack showcases the malware’s sophisticated techniques to evade detection and persist on the targeted system. It is crucial to secure Linux systems and prevent attacks from compromising sensitive data.

The Threat Research Group uses the Cymulate Honeypot Network within Cymulate to observe and analyze malware encountered in the wild. Using honeypot systems allows Cymulate to continue to create new, safe attack simulations of emergent and evolving threats, allowing our customers to assess with the latest threat intelligence.