Summary:
XorBot, a new botnet family emerging in late 2023, has rapidly evolved into a significant threat targeting IoT devices, particularly those from Intelbras, TP-Link, and D-Link. With advanced anti-tracking features and a growing arsenal of DDoS attack methods, its operators are increasingly engaging in profitable operations. The botnet’s latest version, 1.04, showcases enhanced capabilities and a focus on stealth.
#XorBot #IoTSecurity #BotnetThreat
XorBot, a new botnet family emerging in late 2023, has rapidly evolved into a significant threat targeting IoT devices, particularly those from Intelbras, TP-Link, and D-Link. With advanced anti-tracking features and a growing arsenal of DDoS attack methods, its operators are increasingly engaging in profitable operations. The botnet’s latest version, 1.04, showcases enhanced capabilities and a focus on stealth.
#XorBot #IoTSecurity #BotnetThreat
Keypoints:
XorBot first appeared in November 2023 and was disclosed by NSFOCUS in December 2023.
Targets IoT devices, particularly Intelbras cameras and TP-Link/D-Link routers.
Operators are offering DDoS attack rental services.
The latest version of XorBot is 1.04, featuring significant updates and improvements.
Utilizes multiple exploit methods to compromise devices.
Employs advanced anti-tracking and stealth techniques.
Supports various DDoS attack methods, including UDP, TCP, and HTTP.
Maintains persistence by disguising itself as a legitimate system component.
Utilizes social media platforms like Telegram for recruitment and promotion.
MITRE Techniques
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Exploitation for Client Execution (T1203): Exploits vulnerabilities in client applications to execute malicious code.
Remote File Copy (T1105): Transfers files from a remote location to the compromised device.
Persistence (T1547): Modifies system settings to ensure the Trojan runs on startup.
Data Obfuscation (T1027): Uses encryption and obfuscation techniques to conceal malicious code and communications.
Distributed Denial of Service (DDoS) (T1499): Executes DDoS attacks against targeted services or networks.
IoC:
[File Name] conn.masjesu.zip
[IP Address] 216.126.231.240
[File Hash] 8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
[File Hash] 12f0e9582f0a65984653f75466709743
Full Research: https://nsfocusglobal.com/alert-xorbot-comes-back-with-enhanced-tactics/