At midnight on January 16 and 19, 2024 one of our honeypots was targeted by a sample of the Linux trojan XOR DDoS from an OpenSSH server geolocating in Nanjing, China.
Based on the known TTPs for XOR DDoS trojan, the compromise likely occurred via brute forcing the honeypot SSH and subsequently dropping the payload.
The malware - consistent with the hash value (SHA256) ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 - was dropped into the download folder of one of our honeypots from the IP address 218[.]92[.]0[.]60 which appears to be an OpenSSH server hosted by CHINANET Jiangsu Province Network.
This specific piece of malware has been consistently used since 2022 based on a review of Virus Total submissions. Further research reveals the malware has been also historically communicating with infrastructure in South Korea and Australia.
