{"id":30843,"date":"2024-11-21T03:00:58","date_gmt":"2024-11-21T03:00:58","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=30843"},"modified":"2026-04-17T18:07:36","modified_gmt":"2026-04-17T18:07:36","slug":"alert-xorbot-comes-back-with-enhanced-tactics","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/alert-xorbot-comes-back-with-enhanced-tactics\/","title":{"rendered":"Alert: XorBot Comes Back with Enhanced Tactics"},"content":{"rendered":"\n

<\/p>\n\n\n\n

I. Overview<\/strong><\/h2>\n\n\n\n

According to the monitoring by NSFOCUS, since the beginning of 2024, a new-type botnet family with a high level of anti-tracking awareness—XorBot—has been continuously updating its versions and introducing new features, undergoing significant changes.<\/p>\n\n\n\n

This botnet family first emerged in November 2023 and was exclusively disclosed<\/a> by the NSFOCUS Security Labs in December 2023.<\/p>\n\n\n\n

To date, XorBot has become an undeniable security threat in the field of the Internet of Things (IoT), with attackers primarily targeting devices such as Intelbras cameras and routers from TP-Link and D-Link, leading to a large number of IoT devices being compromised.<\/p>\n\n\n\n

As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services.<\/p>\n\n\n\n

Notably, due to its newly registered channel name “Masjesu Botnet,” the security community is also accustomed to naming this family as “Masjesu.” The software released by this family includes a clear version identification, and to date, the latest version has been updated to version 1.04.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 1.1 Masjesu’s Telegram Channel <\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

II. Propagation<\/strong><\/h2>\n\n\n\n

This botnet primarily targets IoT devices from brands such as Intelbras surveillance cameras, TP-Link, and D-Link for propagation. Once an attack is successful, it runs a malicious Trojan program on the compromised device, with the latest version of the Trojan built-in with up to 12 different exploit methods, as listed below:<\/p>\n\n\n\n

Vulnerability<\/strong><\/td>Target Devices<\/strong><\/td><\/tr><\/thead>
UPnP SOAP TelnetD Command Execution<\/td>D-Link devices<\/td><\/tr>
Netgear cgi-bin Command Injection<\/td>Netgear R7000\/R6400 devices<\/td><\/tr>
CCTV\/DVR Remote Code Execution<\/td>CCTVs, DVRs from over 70 vendors<\/td><\/tr>
HNAP SoapAction-Header Command Execution<\/td>D-Link devices<\/td><\/tr>
JAWS Webserver unauthenticated shell command execution<\/td>MVPower DVRs, among others<\/td><\/tr>
Netgear setup.cgi unauthenticated RCE<\/td>DGN1000 Netgear routers<\/td><\/tr>
Vacron NVR RCE<\/td>Vacron NVR devices<\/td><\/tr>
Eir WAN Side Remote Command Injection<\/td>Eir D1000 routers<\/td><\/tr>
CVE-2014-8361<\/td>Different devices using the Realtek SDK with the miniigd daemon<\/td><\/tr>
CVE-2017-17215<\/td>Huawei HG532<\/td><\/tr>
GPON Exploit<\/td>GPON<\/td><\/tr>
CVE-2023-1389<\/td>TP-Link<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n\n\n\n

After successfully exploiting the vulnerabilities to infiltrate the devices, the Trojan is placed in the \/tmp directory of the infected device:<\/p>\n\n\n

\n
\"Red<\/a>
Figure 2.1 Data in \/tmp Directory<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

The process information of the infected device is as follows (\/tmp\/mipsel):<\/p>\n\n\n

\n
\"Red<\/a>
Figure 2.2 Process Information of Infected Device<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

III. Trojan Analysis<\/strong><\/h2>\n\n\n\n

3.1 Trojan Version Changes<\/p>\n\n\n\n

The latest version of XorBot, while maintaining a high degree of similarity with earlier versions, also shows significant differences, mainly in the following aspects:<\/p>\n\n\n\n