Similar malware focusing on Linux and Windows computers has a connection to a DDoS toolkit sold by Chinese attackers, researchers said.
The malware, called Linux/DDOSTF (or Linux/MrBlack) targets mainly Linux machines running Elasticsearch servers, but it also can go after Windows systems, especially Windows XP and Windows 2003 Server, said researchers at Malware Must Die!
Windows infections occur via a PHP-MySQ webshell that exploits the WMI (Windows Management Instrumentation) architecture, allowing it to infiltrate systems, upload the exploit, and later executing it, gaining system privileges over the infected machine, said researchers at Malware Must Die! The Windows version of this malware is the Mr.Black Trojan, they said in a blog post.
The Linux variant of this malware, distributed as a malicious ELF executable, has similarities with an older malware named JrLinux, the researchers said. Some of the code may have also come from another Linux malware, Linux/BillGates.
Analyzing telemetry data from infected machines, researchers said this malware is part of a bigger botnet, used mainly to launch DDoS attacks.
Using clues left behind by the Linux/DDOSTF author in the malware’s source code, the researchers connected the infected computers with the ddos[.]tf Web service.
Continuing their research, the Malware Must Die! team looked at the Linux/DDOSTF source code and they were able to link various of the malware’s capabilities with features and buttons in the DDoS tool’s control panel.
“This panel is really heavy loaded not only with malware but with webshell weapons & hacking tools. The ELF & Windows malware used are pointing to the ddos.tf,” the researchers said.