XorDdos

Malware updated 5 months ago (2024-05-04T21:19:11.672Z)

Download STIX

Preview STIX

XorDdos is a malicious software (malware) that was discovered by Microsoft in 2014 and has been widely used in attacks against cloud and Internet of Things (IoT) deployments. The Linux Trojan targets Linux devices, causing disruptions and potentially stealing sensitive information. It has been linked to a significant surge in use and has been documented as a stealthy distributed denial-of-service (DDoS) malware. Researchers have found considerable overlap between XorDdos and another Linux malware called Krasue, particularly in the rootkit portions of both malwares. The similarities suggest that Krasue was likely created by the same author as XorDdos or at least someone who had access to the XorDdos source code. This connection points to a possible shared author or operator, indicating a broader network of malware threats exploiting similar vulnerabilities. In addition to this, it was observed that a separate Linux Remote Access Trojan (RAT), likely tied to the creators of XorDdos, had been operating undetected for nearly two years, targeting organizations in Thailand and maintaining malicious access to infected systems. This discovery further underscores the stealth and persistence of these threats. In conclusion, the link between XorDdos and other malwares such as Krasue highlights the need for continuous vigilance and advanced security measures to protect against evolving cyber threats.

Description last updated: 2024-05-04T20:47:10.462Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Krasue is a possible alias for XorDdos. Krasue is a newly discovered malware that specifically targets Linux systems. Identified by cybersecurity researchers at Group-IB, this malicious software has been found to be primarily focused on telecom companies in Thailand. As with most malware, Krasue enters systems without the user's knowledge	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Trojan

Linux

Malware

Rootkit

Rat

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the XorDdos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms
CERT-EU	10 months ago	Krasue RAT Malware: A New Threat to Linux Systems
BankInfoSecurity	10 months ago	'Krasue' Linux RAT Targets Organizations in Thailand
CERT-EU	10 months ago	พบ Krasue RAT (กระสือ) ใช้ Rootkit แฝงตัวใน Linux server เพื่อโจมตีบริษัทโทรคมนาคมในประเทศไทย - Bangkok, Thailand \| i-secure Co, Ltd.
DARKReading	10 months ago	Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms
CERT-EU	10 months ago	New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms
CERT-EU	10 months ago	New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand
CERT-EU	10 months ago	Krasue RAT malware hides on Linux servers using embedded rootkits
Securityaffairs	10 months ago	New Krasue Linux RAT targets telecom companies in Thailand
SANS ISC	a year ago	Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary] - SANS Internet Storm Center
Unit42	a year ago	Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign
CERT-EU	2 years ago	New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers