Home » Security Bloggers Network » Alert: XorBot Comes Back with Enhanced Tactics

Alert: XorBot Comes Back with Enhanced Tactics

by NSFOCUS on November 20, 2024

I. Overview

According to the monitoring by NSFOCUS, since the beginning of 2024, a new-type botnet family with a high level of anti-tracking awareness—XorBot—has been continuously updating its versions and introducing new features, undergoing significant changes.

This botnet family first emerged in November 2023 and was exclusively disclosed by the NSFOCUS Security Labs in December 2023.

To date, XorBot has become an undeniable security threat in the field of the Internet of Things (IoT), with attackers primarily targeting devices such as Intelbras cameras and routers from TP-Link and D-Link, leading to a large number of IoT devices being compromised.

As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services.

Notably, due to its newly registered channel name “Masjesu Botnet,” the security community is also accustomed to naming this family as “Masjesu.” The software released by this family includes a clear version identification, and to date, the latest version has been updated to version 1.04.

II. Propagation

This botnet primarily targets IoT devices from brands such as Intelbras surveillance cameras, TP-Link, and D-Link for propagation. Once an attack is successful, it runs a malicious Trojan program on the compromised device, with the latest version of the Trojan built-in with up to 12 different exploit methods, as listed below:

Vulnerability	Target Devices
UPnP SOAP TelnetD Command Execution	D-Link devices
Netgear cgi-bin Command Injection	Netgear R7000/R6400 devices
CCTV/DVR Remote Code Execution	CCTVs, DVRs from over 70 vendors
HNAP SoapAction-Header Command Execution	D-Link devices
JAWS Webserver unauthenticated shell command execution	MVPower DVRs, among others
Netgear setup.cgi unauthenticated RCE	DGN1000 Netgear routers
Vacron NVR RCE	Vacron NVR devices
Eir WAN Side Remote Command Injection	Eir D1000 routers
CVE-2014-8361	Different devices using the Realtek SDK with the miniigd daemon
CVE-2017-17215	Huawei HG532
GPON Exploit	GPON
CVE-2023-1389	TP-Link

After successfully exploiting the vulnerabilities to infiltrate the devices, the Trojan is placed in the /tmp directory of the infected device:

The process information of the infected device is as follows (/tmp/mipsel):

Figure 2.2 Process Information of Infected Device

III. Trojan Analysis

3.1 Trojan Version Changes

The latest version of XorBot, while maintaining a high degree of similarity with earlier versions, also shows significant differences, mainly in the following aspects:

In the release phase, both adopt similar anti-tracking ideas, but the specific implementation paths differ. Although they both take a passive online strategy, there are differences in the verification process and online characteristics;

A new version identification field has been added, and the current latest version has been updated to 1.04;

They have different flooding attack modules, and there are differences in code style. The early version included 5 flooding attack modes only, while this number has expanded to more than 10 in the latest version.

More than ten kinds of vulnerability exploitation techniques have been newly integrated.

Over the past year, this family has gone through multiple version iterations, and the active periods of each version are shown below:

Version	Time	Features
V1	Early November 2023	File size 30k, no version string
V2	Mid-November 2023	Static linking, added a large amount of invalid code to cover malicious branches, making the detection rate of current antivirus engines close to 0
V3	Early June 2024	First appearance of version string 1.01
V4	Mid-June 2024	Appearance of version string 1.02
V5	End of June 2024	Appearance of version string 1.03, attack methods increased to 12
V6	Early November 2024	Appearance of version string 1.04, added 12 exploit methods

3.2 Supported Architectures

Recently, this malicious software family has been unusually active, and its propagation scripts significantly demonstrate a wide compatibility with various CPU architectures, covering MIPS, PowerPC, ARM, and x86_64, among others.

3.3 Encryption and Decryption Methods

The Trojan uses a multi-round XOR encryption technique similar to the Mirai family and introduces a new table_key (specific values are 0x16, 0x9F, 0x08, 0x00). The design of its decryption algorithm is as follows:

3.4 Persistence Methods

The Trojan disguises itself as a legitimate system component by replacing the system’s critical file /usr/lib/ld-unix.so.2, thereby increasing its stealthiness. In addition, it writes itself or related execution commands into the system’s crontab configuration to ensure automatic execution even after a system reboot, achieving persistence of malicious behavior.

Furthermore, the Trojan also changes the permission settings of the /tmp directory, restricting it to read-only by the file owner, thereby monopolizing the target device’s resources and effectively preventing other botnets or malware from entering the system and using that directory for their activities.

3.5 Online Characteristics

The Trojan shows strong anti-tracking characteristics and adopts a passive online method during the release process. That is, after establishing a connection with the control end, it does not immediately send an online package but waits to receive data from the control end. This data is randomly generated and varies with each connection. Subsequently, the client will feedback the received random string, the architecture information of the compromised host, and the Trojan’s version identification to the server end. This design increases the difficulty of tracking based on signature detection. The Trojan has a clear version identification, and the latest version has been updated to 1.04.

Figure 3.5 Construction of Release Package

The actual traffic generated is as follows:

3.6 DDoS Attack Methods

The Trojan supports various types of DDoS attack methods, including but not limited to UDP, TCP, and HTTP attacks. After receiving instructions from the server, it first performs decryption and then selects and assigns the corresponding attack method based on the length difference of the data returned by the server.

In the latest version, the attack methods supported by the Trojan include:

Instruction Length	Instruction Content	Attack Method
21	udp	UDP Flood
22	handshake	UDP Flood
23	vse	UDP Flood
24	gre	UDP Flood
25	rdp	UDP Flood
26	ospf	UDP Flood
27	icmp	ICMP Flood
28	igmp	UDP Flood
29	Protorand	UDP Flood
30	tcp_syn	TCP_SYN Flood
31	tcp_ack	TCP-ACK Flood
32	tcp_ackpsh	TCP-ACKPSH Flood
33	http	HTTP Flood

V. Conclusion

As an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices. Notably, these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion, attracting target “customers” through initial active promotional activities, laying a solid foundation for the subsequent expansion and development of the botnet.

In addition, the controllers of the botnet are continuously increasing their investment in anti-detection and anti-tracking technologies, enhancing the stealthiness of the communication level by designing unique communication interaction logic, increasing the difficulty of tracking. At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.