- Host downloads an app, or visits a compromised site (drive by download) getting infected with ELF based Malware. The ELF executable triggers the host to perform a DNS requests for aa.hostasa.org to locate the CnC server. Once the DNS request is resolved and the server is located, the infected host will connect to the server via HTTP port 80. The server will then respond to the infected host with CnC instructions or further staging/downloading of Malware.
- Most DNS servers will not respond/answer any requests for aa.hostasa.org, however, the Malware should still be located on the host and removed.
- DNS Port 53 for initial discovery
- HTTP Port 80 for CnC instructions
Known False Positive Indicators
- FireWalls with rules regarding aa.hostasa.org will attempt to resolve the domain to an IP by performing a DNS request which appears as though a host is infected by the ELF Malware. This will be recognizable by the DNS requests originating from your FireWall but won't be seen on the LAN side of your network.
- Malware/ BOT/ CnC
TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)
Please sign in to leave a comment.