I. Overview
According to the monitoring by NSFOCUS, since the beginning of 2024, a new-type botnet family with a high level of anti-tracking awareness—XorBot—has been continuously updating its versions and introducing new features, undergoing significant changes.
This botnet family first emerged in November 2023 and was exclusively disclosed by the NSFOCUS Security Labs in December 2023.
To date, XorBot has become an undeniable security threat in the field of the Internet of Things (IoT), with attackers primarily targeting devices such as Intelbras cameras and routers from TP-Link and D-Link, leading to a large number of IoT devices being compromised.
As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services.
Notably, due to its newly registered channel name “Masjesu Botnet,” the security community is also accustomed to naming this family as “Masjesu.” The software released by this family includes a clear version identification, and to date, the latest version has been updated to version 1.04.
II. Propagation
This botnet primarily targets IoT devices from brands such as Intelbras surveillance cameras, TP-Link, and D-Link for propagation. Once an attack is successful, it runs a malicious Trojan program on the compromised device, with the latest version of the Trojan built-in with up to 12 different exploit methods, as listed below:
| Vulnerability | Target Devices |
| UPnP SOAP TelnetD Command Execution | D-Link devices |
| Netgear cgi-bin Command Injection | Netgear R7000/R6400 devices |
| CCTV/DVR Remote Code Execution | CCTVs, DVRs from over 70 vendors |
| HNAP SoapAction-Header Command Execution | D-Link devices |
| JAWS Webserver unauthenticated shell command execution | MVPower DVRs, among others |
| Netgear setup.cgi unauthenticated RCE | DGN1000 Netgear routers |
| Vacron NVR RCE | Vacron NVR devices |
| Eir WAN Side Remote Command Injection | Eir D1000 routers |
| CVE-2014-8361 | Different devices using the Realtek SDK with the miniigd daemon |
| CVE-2017-17215 | Huawei HG532 |
| GPON Exploit | GPON |
| CVE-2023-1389 | TP-Link |
After successfully exploiting the vulnerabilities to infiltrate the devices, the Trojan is placed in the /tmp directory of the infected device:
The process information of the infected device is as follows (/tmp/mipsel):
III. Trojan Analysis
3.1 Trojan Version Changes
The latest version of XorBot, while maintaining a high degree of similarity with earlier versions, also shows significant differences, mainly in the following aspects:
- In the release phase, both adopt similar anti-tracking ideas, but the specific implementation paths differ. Although they both take a passive online strategy, there are differences in the verification process and online characteristics;
- A new version identification field has been added, and the current latest version has been updated to 1.04;
- They have different flooding attack modules, and there are differences in code style. The early version included 5 flooding attack modes only, while this number has expanded to more than 10 in the latest version.
- More than ten kinds of vulnerability exploitation techniques have been newly integrated.
Over the past year, this family has gone through multiple version iterations, and the active periods of each version are shown below:
| Version | Time | Features |
| V1 | Early November 2023 | File size 30k, no version string |
| V2 | Mid-November 2023 | Static linking, added a large amount of invalid code to cover malicious branches, making the detection rate of current antivirus engines close to 0 |
| V3 | Early June 2024 | First appearance of version string 1.01 |
| V4 | Mid-June 2024 | Appearance of version string 1.02 |
| V5 | End of June 2024 | Appearance of version string 1.03, attack methods increased to 12 |
| V6 | Early November 2024 | Appearance of version string 1.04, added 12 exploit methods |
3.2 Supported Architectures
Recently, this malicious software family has been unusually active, and its propagation scripts significantly demonstrate a wide compatibility with various CPU architectures, covering MIPS, PowerPC, ARM, and x86_64, among others.
3.3 Encryption and Decryption Methods
The Trojan uses a multi-round XOR encryption technique similar to the Mirai family and introduces a new table_key (specific values are 0x16, 0x9F, 0x08, 0x00). The design of its decryption algorithm is as follows:
3.4 Persistence Methods
The Trojan disguises itself as a legitimate system component by replacing the system’s critical file /usr/lib/ld-unix.so.2, thereby increasing its stealthiness. In addition, it writes itself or related execution commands into the system’s crontab configuration to ensure automatic execution even after a system reboot, achieving persistence of malicious behavior.
Furthermore, the Trojan also changes the permission settings of the /tmp directory, restricting it to read-only by the file owner, thereby monopolizing the target device’s resources and effectively preventing other botnets or malware from entering the system and using that directory for their activities.
3.5 Online Characteristics
The Trojan shows strong anti-tracking characteristics and adopts a passive online method during the release process. That is, after establishing a connection with the control end, it does not immediately send an online package but waits to receive data from the control end. This data is randomly generated and varies with each connection. Subsequently, the client will feedback the received random string, the architecture information of the compromised host, and the Trojan’s version identification to the server end. This design increases the difficulty of tracking based on signature detection. The Trojan has a clear version identification, and the latest version has been updated to 1.04.
The actual traffic generated is as follows:
3.6 DDoS Attack Methods
The Trojan supports various types of DDoS attack methods, including but not limited to UDP, TCP, and HTTP attacks. After receiving instructions from the server, it first performs decryption and then selects and assigns the corresponding attack method based on the length difference of the data returned by the server.
In the latest version, the attack methods supported by the Trojan include:
| Instruction Length | Instruction Content | Attack Method |
| 21 | udp | UDP Flood |
| 22 | handshake | UDP Flood |
| 23 | vse | UDP Flood |
| 24 | gre | UDP Flood |
| 25 | rdp | UDP Flood |
| 26 | ospf | UDP Flood |
| 27 | icmp | ICMP Flood |
| 28 | igmp | UDP Flood |
| 29 | Protorand | UDP Flood |
| 30 | tcp_syn | TCP_SYN Flood |
| 31 | tcp_ack | TCP-ACK Flood |
| 32 | tcp_ackpsh | TCP-ACKPSH Flood |
| 33 | http | HTTP Flood |
V. Conclusion
As an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices. Notably, these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion, attracting target “customers” through initial active promotional activities, laying a solid foundation for the subsequent expansion and development of the botnet.
In addition, the controllers of the botnet are continuously increasing their investment in anti-detection and anti-tracking technologies, enhancing the stealthiness of the communication level by designing unique communication interaction logic, increasing the difficulty of tracking. At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.
VI. IoC
conn.masjesu.zip:443
216.126.231.240:443
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
12f0e9582f0a65984653f75466709743
