14 DAY TRIAL // Similar-looking malware targeting both Linux and Windows computers has been linked to a DDoSing toolkit sold by Chinese hackers via the ddos[.]tf service, Malware Must Die! reports.
The malware, codenamed Linux/DDOSTF (or Linux/MrBlack) targets mainly Linux machines running Elasticsearch servers, but it also attacks and infects Windows systems, particularly older Windows XP and Windows 2003 Server instances.
Malware Must Die! reports that Windows infections occur via a PHP-MySQ webshell that exploits the WMI (Windows Management Instrumentation) architecture, allowing it to infiltrate systems, upload the exploit, and later executing it, gaining system privileges over the infected machine. The Windows version of this malware is detected as the Mr.Black trojan.
Security researchers are also claiming that the Linux variant of this malware, distributed as a malicious ELF executable, has lots of similarities with an older malware named JrLinux, to which it may be related. Additionally, some of the code may have also been stolen from another famous Linux malware, Linux/BillGates.
Both malware samples link back to the ddos[.]tf service
Analyzing telemetry data from infected machines, researchers say that this malware is part of a bigger botnet, used mainly to launch DDoS attacks.
Using clues left behind by the Linux/DDOSTF author in the malware's source code, the researchers were able to link the infected computers with the ddos[.]tf Web service.
This website offers for sale the Wrath DDoS Cluster (or Curse DDoS Cluster, translated from 天罚DDoS集群). The website's Chinese owners advertise this as a pen-testing utility, but in fact, it's a control panel for DDoS attacks.
Further investigating the Linux/DDOSTF source code, Malware Must Die! researchers were able to link various of the malware's capabilities with features and buttons in the DDoS tool's control panel.
"This panel is really heavy loaded not only with malware but with webshell weapons & hacking tools. The ELF & Windows malware used are pointing to the ddos.tf," conclude the researchers. "Are these attackers [currently infecting systems and launching DDoS attacks] actually the actor behind ddos.tf site (owners/administrators)? Or maybe one of the 'customers' of the ddos.tf? It's still a question."
