Microsoft warns of massive surge in Linux XorDdos malware usage
254% increase in activity of stealthy Linux XorDdos malware observed over the past six months
Microsoft warned on Friday that it has detected 254% increase in the activity of stealthy Linux XorDdos malware over the past six months.
The growth in XorDdos activity, according to the Microsoft 365 Defender Research Team, reflects the trend of malware increasingly targeting Linux-based operating systems, which are widely used in cloud infrastructure and Internet of Things (IoT) devices.
"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service (DDoS) attacks," said Microsoft researchers in a blog post.
First uncovered by the research group MalwareMustDie in 2014. It was given the name XorDdos due to the fact that it carries out distributed denial-of-service (DDoS) attacks on Linux systems and utilises XOR-based encryption to phone home.
XorDdos gains remote control over vulnerable IoT and other devices by conducting secure shell (SSH) brute-force attacks, which enable it to build a botnet capable of carrying out DDoS attacks.
SSH is a secure network communication protocol used for remote system management.
Once credentials are obtained, the botnet exploits root privileges to install itself on the Linux device and then uses XOR-based encryption to communicate with the attacker's C2 infrastructure.
Microsoft said it mitigated a 2.4 Tbps DDoS attack in August last year, in which the attack traffic emanated from about 70,000 sources in Taiwan, Japan, China, Malaysia, Vietnam and the United States.
DNS attacks, SYN flood attacks and ACK flood attacks are among the DDoS methods that XorDdos uses. It gathers information about an infected device, such as the OS release version, RAM and CPU stats, LAN speed, magic string, rootkit presence, etc, and sends them in encrypted form to the C2 server.
The botnet's success, according to Microsoft, is due to its use of multiple evasion and persistence strategies, which make it hard to detect and difficult to remove.
Microsoft examined a 32-bit ELF file that included debug symbols detailing the malware's specialised code for each of its actions. It discovered that XorDdos has modules with specific functionalities to evade detection.
"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis," Microsoft 365 Defender Research Team said.
The researchers also found XorDdos concealed its malicious activity in recent campaigns by overwriting sensitive files with a null byte.
In addition to launching DdoS attacks, the attackers also use the XorDdos botnet to install rootkits, maintaining access to infected machines, and likely dropping more malicious payloads.
Microsoft researchers discovered that systems infected with XorDdos were subsequently infected with other malware, such as the Tsunami backdoor, which installs the XMRig coin miner.
The sharp increase in XorDdos activity since December lines up with the findings of a study by cybersecurity company CrowdStrike, which said that Linux malware grew by 35% in 2021 compared to the previous year.
Last week, Microsoft also issued a warning about a new botnet that installs a cryptocurrency miner to install a cryptocurrency miner. The malware is a variant of the Sysrv botnet, which works by exploiting security flaws in the Spring Framework and WordPress plugins.