timb-machine
[Intel]: https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
Area
Malware reports
Parent threat
Initial Access, Credential Access, Impact
Finding
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
Industry reference
attack:T1078:Valid Accounts attack:T1100:Brute Force attack:T1498:Network Denial of Service attack:T1053.003:Cron attack:T1105:Ingress Tool Transfer attack:T1027:Obfuscated Files or Information attack:T1014:Rootkit attack:T1082:System Information Discovery attack:T1003.007:Proc Filesystem attack:T1562.001:Disable or Modify Tools attack:T1037.004:RC Scripts attack:T1070.004:File Deletion attack:T1036.005:Match Legitimate Name or Location uses:/dev/shm uses:ioctl uses:shmem uses:Port Hiding https://github.com/timb-machine/linux-malware/issues/129
Malware reference
XorDDoS Rooty
Actor reference
No response
Component
Linux
Scenario
No response
Scenario variation
No response
Different hash and i've not detonated it anywhere but:
- https://bazaar.abuse.ch/sample/ab6ee08016a05e1b3e4fb07bcdac63756a49ecdc83bc76e0462ee6c309ad639e/
.strtab, symbols and strings check out though and it comes up as Unix.Trojan.DDoS_XOR with ClamAV.
Thank You, Man. You are great!
On Wed, 25 May 2022, 3:41 am Tim Brown, @.***> wrote:
Different hash and i've not detonated it anywhere but:
https://bazaar.abuse.ch/sample/ab6ee08016a05e1b3e4fb07bcdac63756a49ecdc83bc76e0462ee6c309ad639e/
.strtab, symbols and strings check out though and it comes up as Unix.Trojan.DDoS_XOR with ClamAV.
— Reply to this email directly, view it on GitHub https://github.com/timb-machine/linux-malware/issues/439#issuecomment-1136479833, or unsubscribe https://github.com/notifications/unsubscribe-auth/AV566E637W3HD53SW4A5ZNDVLVHZVANCNFSM5WRPTREA . You are receiving this because you commented.Message ID: @.***>