2025-02-27 Long Live The Vo1d Botnet New Variant Hits 1.6 Million TV Globally

📃Title: Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally
📅Date: 2025-02-27
🔗References:

• https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet

Description

The Vo1d botnet has infected 1.6 million Android TV devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The botnet’s scale and capabilities surpass previous major attacks, potentially enabling devastating DDoS attacks or unauthorized content broadcasting. Analysis reveals a sophisticated multi-component system including downloaders, backdoors, and modular malware for proxy services and ad fraud. The botnet’s rapid growth and evasion techniques highlight the urgent need for improved security measures in smart TV devices and set-top boxes.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• target-information=“Brazil”
• target-information=“South Africa”
• target-information=“Indonesia”
• target-information=“Argentina”
• target-information=“Thailand”
• target-information=“China”
• target-information=“Morocco”
• target-information=“Philippines”
• target-information=“Germany”
• target-information=“Malaysia”
• target-information=“Pakistan”
• target-information=“Iraq”
• target-information=“Mexico”
• target-information=“Russia”
• target-information=“Ecuador”
• target-information=“British Indian Ocean Territory”
• target-information=“India”
• target-information=“United States”
• mitre-attack-pattern=[‘T1129’, ‘T1082’, ‘T1071’, ‘T1140’, ‘T1036’, ‘T1055’, ‘T1112’, ‘T1016’, ‘T1059’, ‘T1568’, ‘T1036.004’, ‘T1102’, ‘T1608’, ‘T1001’, ‘T1027’, ‘T1573’, ‘T1012’, ‘T1132’, ‘T1027.002’, ‘T1105’]

MISP event uuid: 2e6942b8-b695-4934-87b9-dcb18811d13c

Indicator of Compromise (IoCs)

type,value,comment
domain, ssl8rrs2.com, 'Vo1d C2'
domain, ttekf42.com, 'Vo1d C2'
domain, ttss442.com, 'Vo1d C2'
domain, works883.com, 'Vo1d C2'
domain, csskkjw.com, 'Vo1d C2'
domain, catmore23.com, 'Vo1d C2'
domain, synntre.com, 'Vo1d C2'
domain, csok997.com, 'Vo1d C2'
domain, conannt.com, 'Vo1d C2'
domain, qocoll.com, 'Vo1d C2'
domain, haveits.com, 'Vo1d C2'
domain, remoredo.com, 'Vo1d C2'
domain, catmos99.com, 'Vo1d C2'
domain, ssl87362.com, 'Vo1d Downloader'
domain, wowokeys.com, 'Vo1d Downloader'
ip-dst, 38.46.218.36, 'Vo1d Downloader'
ip-dst, 38.46.218.37, 'Vo1d Downloader'
ip-dst, 38.46.218.38, 'Vo1d Downloader'
ip-dst, 38.46.218.39, 'Vo1d Downloader'
domain, works883.xyz, 'Vo1d Reporter'
domain, catmore88.com, 'Vo1d Reporter'
md5, 01a692df9deb5e8db620e4fb7e687836, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, de8f69efdb29cdf5fd12dd7b74584696, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, 456e14aa644bd31d85e0fe6f78d8fc15, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, 30da72fda6d0f5e3972272332d7fc47b, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, fc7dc3c5306d6a508023160953168a16, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, 53493b07fe423b1dbdc789803cbac7c1, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, 9e116f9ad2ff072f02aa2ebd671582a5, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, b447aaf52c1efad388612f8220969c35, 'Vo1d Sample No sample in VT\r\nLast check:13/03/2025'
md5, 6bb3258b688f81dfd03128bccf18823b, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 0c454831bdb679bdd083c5a7cc785733, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, bb6b9aec7d4bfa524c7c5117257e4d78, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 6168dafc5a1d297cf33b26b65db315cc, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 4f4d5e37feda9e9556c816c100e1de30, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, d9126d936d505b9fa9a8278fda1daaae, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 5701ee051f80e92c1efc5ad32f8401d3, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, a07533a9504fff0756a8ba59ca0af4d6, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 47c5bf4fbce983c2182ba103d2773dff, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, 4efa4566794d86e033c2362cad05f1f8, 'Vo1d Payload - with 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
md5, a774eb68f60621bfddd8db461d978c12, 'Vo1d Payload - without 5 bytes size&cmd No sample in VT\r\nLast check:13/03/2025'
hostname, dcsdk.100ulife.com, 'Mzmess C2'
hostname, dcsdkos.dc16888888.com, 'Mzmess C2'
ip-dst, 8.219.89.234, 'Mzmess C2'
domain, gmslb.net, 'popa C2'
domain, phonemesh.org, 'popa C2'
domain, linkmob.org, 'popa C2'
domain, peercon.org, 'popa C2'
domain, phonegrid.org, 'popa C2'
domain, safernetwork.io, 'popa C2'
domain, lbk-sol.com, 'popa C2'
domain, sklstech.com, 'popa C2'
domain, kyc-holdings.com, 'popa C2'
hostname, jaguar-distributor.syslogcollector.com, 'jaguar C2'
ip-dst, 38.61.8.14, 'jaguar C2'
ip-dst, 38.61.8.31, 'jaguar C2'
ip-dst, 69.28.62.49, 'jaguar C2'
ip-dst, 69.28.62.39, 'jaguar C2'
ip-dst, 156.236.118.48, 'jaguar C2'
ip-dst, 69.28.62.51, 'jaguar C2'
ip-dst, 38.61.8.11, 'jaguar C2'
ip-dst, 38.61.8.13, 'jaguar C2'
ip-dst, 69.28.62.38, 'jaguar C2'
ip-dst, 156.236.118.27, 'jaguar C2'
ip-dst, 69.28.62.60, 'jaguar C2'
ip-dst, 38.61.8.33, 'jaguar C2'
ip-dst, 69.28.62.52, 'jaguar C2'
ip-dst, 69.28.62.50, 'jaguar C2'
ip-dst, 38.61.8.12, 'jaguar C2'
ip-dst, 128.1.71.243, 'jaguar C2'
ip-dst, 69.28.62.48, 'jaguar C2'
ip-dst, 69.28.62.41, 'jaguar C2'
ip-dst, 69.28.62.42, 'jaguar C2'
ip-dst, 69.28.62.61, 'jaguar C2'
hostname, g.sxim.me, 'lxhwdg C2'
hostname, reg.sxim.me, 'lxhwdg C2'
hostname, ref.sxim.me, 'lxhwdg C2'
hostname, task.mymoyu.shop, 'spirit'
hostname, task.moyu88.xyz, 'spirit'
hostname, task1.ziyemy.shop, 'spirit'
hostname, task2.ziyemy.shop, 'spirit'
hostname, adstat.moyu88.xyz, 'spirit'
hostname, adstat.ziyemy.shop, 'spirit'
hostname, adstat.ad3g.com, 'spirit'
hostname, adstat2.ziyemy.shop, 'spirit'
hostname, update.ad3g.com, 'spirit'
domain, spiritlib.cyou, 'spirit'

Full IOCs available in Rectifyq's MISP```