XOR Trojan Alert: Unraveling the Persistent DDoS Threat from IP 218.92.0.60

Beware the Trojan.XorDDoS! This digital gremlin, spotted since October 1, 2023, plays hide and seek with hashes, exclusively waltzing through DShield sensors via IP 218.92.0.60. Get ready to chuckle at malware’s monogamy! #TrojanXorDDoS #CyberSecurityTango

Hot Take:

It seems like the internet’s boogeyman has a favorite haunt, and it’s the DShield sensor haunting season! One pesky IP is dropping the same ‘trojan.xorddos/ddos’ treat bag at the same cyber doorstep, and surprise, surprise—it’s filled with more tricks than treats. Let’s unwrap this candy-coated cyber conundrum and see what’s really inside these sketchy sweets!

Key Points:

  • The DShield sensor has been consistently visited by an IP offering the dubious gift of a file named ‘eyshcjdmzg’, a known trojan.xorddos/ddos.
  • VirusTotal dating profiles show our file’s been in the game since 2019, but only waltzed onto DShield’s dance floor on March 7, 2024.
  • Sandbox flings with AssemblyLine and others reveal a config file for C2 booty calls, but alas, the trojan hasn’t evolved much—it’s still using the same old pickup lines.
  • A colorful bouquet of file hashes has been identified, each with its own level of popularity, ranging from 65 hits to just one.
  • The indicators also include an IP address and domain names that seem to be part of the trojan’s little black book for when it feels the urge to ‘communicate’.

Need to know more?

From One IP with Love

Imagine a secret admirer, except they're not so secret and their love notes are malware. That's what's happening here, with IP 218.92.0.60 playing Cyrano de Bergerac, but instead of romantic prose, it's sending over a trojan named 'eyshcjdmzg' since October 1, 2023. This IP has a one-track mind and a one-target aim, and it's sticking to its guns with admirable, albeit misguided, dedication.

A Walk Down Memory Lane

Let's take a stroll through the digital archives, shall we? The oldest file submission on VirusTotal, which has been cozying up to the sensor only once, dates back to August 2019. It seems like our trojan has been playing the long game, waiting for the perfect moment to make its grand entrance. And what an entrance it was, on the oh-so-memorable date of March 7, 2024. Mark your calendars, folks!

Playing in the Sandbox

Our trojan didn't just stop at VirusTotal; it went on a sandbox tour, getting frisky with AssemblyLine, among others, to flaunt all its indicators. Just like a bad date, it left behind a config file, which is basically its little black book for command and control rendezvous. Cross-referencing with other sandboxes confirmed our suspicions—the trojan is like that one friend who hasn't changed since high school.

The Hash Bash

Now, onto the hashes—a veritable smorgasbord of cryptographic identifiers, ranging from the high school prom king (the hash with 65 hits) to the ones that barely made it into the yearbook. These alphanumeric charmers are the fingerprints our trojan left on the scene, each one a testament to its attempts to mingle with the DShield sensor.

Communication Breakdown

Last but not least, let's talk about the trojan's communication game. We've got IP addresses and domain names that read like the guest list for a malware mixer. These domains are where the trojan goes to spill its secrets, and the IP addresses? Well, let's say they're the trojan's way of saying, "You up?" for some late-night command and control chat.

In the end, what do we have? A trojan that's a creature of habit, a security sensor that's probably feeling a little harassed, and a cybersecurity community with a front-row seat to this digital drama. Pop the popcorn and stay tuned, because this cyber saga is far from over!

Tags: C2 communication, DDoS Attacks, Malware Analysis, network indicators, sandboxing, VirusTotal, XOR DDoS