Microsoft has discovered a significant increase in Linux XorDDoS malware behavior

As per the recent news, it claims that Microsoft has discovered an activity on a stealthy and modular virus used to get into Linux devices and establish a DDoS botnet has increased by 254 percent in the last six months. Due to its use of XOR-based encryption when interacting with command-and-control (C2) servers and being used to perform distributed denial-of-service (DDoS) attacks, this malware (active since at least 2014) is known as XorDDoS (or XOR DDoS). The botnet’s success, according to the business, is due to its widespread use of numerous evasion and persistence strategies, which allow it to remain inconspicuous and difficult to eradicate.

Microsoft has discovered a significant increase in Linux XorDDoS malware behavior

From Microsoft 356 Defender Research Team, they stated that its evasion skills include obscuring the malware’s operations, avoiding rule-based detection algorithms and hash-based harmful file lookup, and breaking process tree-based analysis with anti-forensic techniques. They also discovered that XorDdos hides harmful activity from examination by overwriting sensitive files with a null byte in recent campaigns.

As per the studies, XorDDoS is recognized for infecting vulnerable Linux systems in SSH brute-force attacks, ranging from ARM (IoT) to x64 (servers). It uses a shell script to spread to more devices, which attempts to log in as root using various passwords across thousands of Internet-exposed computers until it finds a match. The malware’s controllers use the XorDDoS botnet to install rootkits, maintain access to hacked machines, and, most likely, drop more malicious payloads, in addition to executing DDoS attacks.

According to the sources, it stated that Microsoft discovered that systems infected with XorDdos were later infected with other malware, including the Tsunami backdoor, which deploys the XMRig coin mine. While they didn’t see XorDdos install and distribute secondary payloads like Tsunami, the trojan is probably being used as a vector for subsequent attacks.

As per the sources, the sharp increase in XorDDoS activity discovered by Microsoft since December corresponds to a report by cybersecurity firm CrowdStrike, which stated that Linux malware grew by 35% in 2021 compared to the previous year. XorDDoS, Mirai, and Mozi were the most common malware families in 2021, accounting for 22% of all malware attacks targeting Linux machines.

Furthermore, XorDDoS experienced a remarkable year-over-year increase of 123 percent. At the same time, Mozi had an exponential activity growth, with 10 times more samples found in the wild throughout last year, according to CrowdStrike. According to an Intezer analysis from February 2021, Linux malware groups increased by around 40% in 2020 compared to 2019.