BillGates is a Linux DDoS malware family, also referenced as Linux/DDoS-BD in the provided content. It has been observed as a payload delivered in campaigns exploiting Oracle WebLogic Server vulnerability CVE-2018-2893. In that activity cluster, a JAR payload downloaded a shell script on Linux/Unix-like systems that retrieved BillGates variants named SYN_145 and SYN_7008. Those variants were described as BillGates DDoS malware with command-and-control at 121.18.238.56 on ports 145 and 7008 respectively. The same campaign also deployed XMRig cryptocurrency mining payloads and helper scripts that killed high-CPU processes. The content also notes that BillGates has been attributed by some to the Elknot authors, and that attackers attempted to retrieve the BillGates malware family during honeypot activity. Separately, CISA and partners listed BillGates among botnets observed exploiting routinely exploited vulnerabilities in 2022. High-confidence indicators directly mentioned in the content include the URLs hxxp://121.18.238.56:8080/SYN_145 and hxxp://121.18.238.56:8080/SYN_7008, and C2 endpoints 121.18.238.56:145 and 121.18.238.56:7008.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
2 configuration encryption schemes have been found – RSA encryption – XOR like encryption
Attack methods ... CAttackIcmp ICMP flood ... CAttackSyn TCP syn flood ... CAttackUdp UDP flood ... CAttackCompress TCP packet attack
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux DDoS malware family that the same attacker later attempted to retrieve; mentioned as possibly linked by some researchers to Elknot authors.
BillGates is a botnet malware family that targets Linux systems, primarily used for launching DDoS attacks and sometimes for cryptocurrency mining.
BillGates is a botnet malware family that targets Linux systems, enabling DDoS attacks and remote control of infected machines.
DDoS malware referenced as “BillGates” with variants/binaries SYN_145 and SYN_7008 that beacon to C2 on 121.18.238.56 over ports 145 and 7008 respectively.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.