Full Report
Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.
Analysis Summary
# Tool/Technique: XorDDoS
## Overview
XorDDoS is a long-standing distributed denial-of-service (DDoS) malware family primarily targeting Linux systems, but which has expanded its reach to Docker environments, IoT devices, and other internet-connected infrastructure. It functions by compromising systems, often via SSH brute-forcing, and enslaving them into a botnet used to launch large-scale DDoS attacks. Recent observations highlight the emergence of a new, more complex infrastructure, including a "VIP version" sub-controller.
## Technical Details
- Type: Malware family
- Platform: Linux, Docker servers, IoT devices
- Capabilities: Establishing persistence, C2 communication, launching DDoS attacks, potential secondary payload deployment (e.g., cryptocurrency miners like Tsunami).
- First Seen: Operational for over a decade (since around 2014/2015, with reporting noting significant activity spikes in 2022 and continued growth through 2024/2025).
## MITRE ATT&CK Mapping
Since the article focuses on the operational aspects of the malware, the mapping primarily covers initial access, execution, and command & control:
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: SSH Protocol
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Analogous persistence mechanism via cron jobs/initialization scripts on Linux)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied C2 communication channels)
## Functionality
### Core Capabilities
- **Infection Vector:** Initial access is primarily achieved through brute-force attacks targeting exposed Secure Shell (SSH) credentials.
- **Botnet Recruitment:** Once installed, the malware converts vulnerable hosts (Linux, IoT, Docker) into distributed bots.
- **Persistence:** The malware establishes persistence using an embedded initialization script and a cron job, ensuring execution upon system startup.
- **Encryption:** Uses the specific XOR key "BB2FA36AAA9541F0" to decrypt configuration data necessary for Command and Control (C2) communication.
### Advanced Features
- **Multi-Layered C2 Infrastructure:** The use of a central controller that manages multiple XorDDoS sub-controllers, which command the botnets.
- **New Infrastructure Components:** Discovery of a new "VIP version" sub-controller, a corresponding central controller, and a builder tool, suggesting the framework is being actively developed and potentially advertised for sale.
- **Secondary Infection:** In previous campaigns (2022), infections paved the way for other malware, such as cryptocurrency mining malware like Tsunami.
- **Language:** The language settings of the controller, builder, and binding tools suggest the operators are Chinese-speaking.
## Indicators of Compromise
- File Hashes: *Not explicitly provided in the summary text.*
- File Names: *Not explicitly provided, but relies on persistence mechanisms like initialization scripts and cron jobs.*
- Registry Keys: *Not applicable (Linux focus), persistence relies on startup scripts/cron.*
- Network Indicators: Malicious DNS requests linked to C2 infrastructure (Specific IPs/Domains defanged).
- Behavioral Indicators: Execution of initialization scripts/cron jobs designed for automatic startup; outbound C2 communication following XOR decryption.
## Associated Threat Actors
- Operators identified as likely being Chinese-speaking individuals based on language settings observed in associated tools (builder, controllers).
## Detection Methods
- Signature-based detection: Signatures targeting the known XOR key use ("BB2FA36AAA9541F0").
- Behavioral detection: Monitoring for unexplained cron job creation or initialization scripts designed for service persistence; detection of high volumes of unusual DNS requests associated with the C2 network.
- YARA rules: *Not explicitly provided in the summary text.*
## Mitigation Strategies
- **Strong Authentication:** Implement robust SSH credential management (e.g., key-based authentication) and enforce strong, unique passwords to prevent brute-force attacks.
- **Network Segmentation:** Isolate IoT devices and containerized environments (Docker) from unnecessary network exposure.
- **Patching/Hardening:** Ensure all Linux systems, IoT devices, and Docker hosts are regularly patched and hardened against known vulnerabilities.
- **Monitor Persistence Mechanisms:** Specifically monitor system configuration files and cron job directories for unauthorized entries.
## Related Tools/Techniques
- **Tsunami:** Cryptocurrency mining malware previously deployed following XorDDoS infection.
- Other Linux/IoT DDoS malware frameworks.