Alert: XorBot Comes Back with Enhanced Tactics – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Summary:
XorBot, a new botnet family emerging in late 2023, has rapidly evolved into a significant threat targeting IoT devices, particularly those from Intelbras, TP-Link, and D-Link. With advanced anti-tracking features and a growing arsenal of DDoS attack methods, its operators are increasingly engaging in profitable operations. The botnet’s latest version, 1.04, showcases enhanced capabilities and a focus on stealth.
#XorBot #IoTSecurity #BotnetThreat

Keypoints:

  • XorBot first appeared in November 2023 and was disclosed by NSFOCUS in December 2023.
  • Targets IoT devices, particularly Intelbras cameras and TP-Link/D-Link routers.
  • Operators are offering DDoS attack rental services.
  • The latest version of XorBot is 1.04, featuring significant updates and improvements.
  • Utilizes multiple exploit methods to compromise devices.
  • Employs advanced anti-tracking and stealth techniques.
  • Supports various DDoS attack methods, including UDP, TCP, and HTTP.
  • Maintains persistence by disguising itself as a legitimate system component.
  • Utilizes social media platforms like Telegram for recruitment and promotion.

  • MITRE Techniques

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Exploitation for Client Execution (T1203): Exploits vulnerabilities in client applications to execute malicious code.
  • Remote File Copy (T1105): Transfers files from a remote location to the compromised device.
  • Persistence (T1547): Modifies system settings to ensure the Trojan runs on startup.
  • Data Obfuscation (T1027): Uses encryption and obfuscation techniques to conceal malicious code and communications.
  • Distributed Denial of Service (DDoS) (T1499): Executes DDoS attacks against targeted services or networks.

  • IoC:

  • [File Name] conn.masjesu.zip
  • [IP Address] 216.126.231.240
  • [File Hash] 8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
  • [File Hash] 12f0e9582f0a65984653f75466709743


  • Full Research: https://nsfocusglobal.com/alert-xorbot-comes-back-with-enhanced-tactics/