![](https://static.wixstatic.com/media/34c96e_046b762982ce4b689c2a0df9827c14aa~mv2.jpg/v1/fill/w_147,h_147,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_046b762982ce4b689c2a0df9827c14aa~mv2.jpg)
At midnight on January 16 and 19, 2024 one of our honeypots was targeted by a sample of the Linux trojan XOR DDoS from an OpenSSH server geolocating in Nanjing, China.
![](https://static.wixstatic.com/media/34c96e_715a38fe8c5843598e08d57ba6c7ea4c~mv2.png/v1/fill/w_47,h_16,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_715a38fe8c5843598e08d57ba6c7ea4c~mv2.png)
Based on the known TTPs for XOR DDoS trojan, the compromise likely occurred via brute forcing the honeypot SSH and subsequently dropping the payload.
The malware - consistent with the hash value (SHA256) ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 - was dropped into the download folder of one of our honeypots from the IP address 218[.]92[.]0[.]60 which appears to be an OpenSSH server hosted by CHINANET Jiangsu Province Network.
![](https://static.wixstatic.com/media/34c96e_bc92a695a1974e2fb40f2b2a9c4036fe~mv2.png/v1/fill/w_48,h_31,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_bc92a695a1974e2fb40f2b2a9c4036fe~mv2.png)
This specific piece of malware has been consistently used since 2022 based on a review of Virus Total submissions. Further research reveals the malware has been also historically communicating with infrastructure in South Korea and Australia.
![](https://static.wixstatic.com/media/34c96e_12e74040b95342668cf3d2ce290f0696~mv2.png/v1/fill/w_90,h_62,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_12e74040b95342668cf3d2ce290f0696~mv2.png)