Microsoft warns of a huge leap in the use of Linux XorDdos malware

Microsoft warned on Friday that it had discovered a 254% increase in the activity of hidden Linux XorDdos malware over the past six months.

The rise in XorDdos activity, according to Microsoft’s 365 Defender research team, reflects the trend of malware increasingly targeting Linux-based operating systems that are widely used in cloud infrastructure and Internet of Things (IoT) devices.

“By compromising the IoT and other Internet-connected devices, XorDdos is accumulating botnets that can be used to carry out distributed denial-of-service (DDoS) attacks,” Microsoft researchers said. blog post.

First discovered by research group MalwareMustDie in 2014, it was named XorDdos due to the fact that it performs distributed denial-of-service (DDoS) attacks on Linux systems and uses XOR-based encryption to make calls at home.

XorDdos gains remote control of vulnerable IoT and other devices by performing secure shell attacks (SSH) attacks, which allow it to build a botnet capable of carrying out DDoS attacks.

SSH is a secure network communication protocol used to remotely control the system.

Once credentials are received, the botnet uses root privileges to install on the Linux device and then uses XOR-based encryption to communicate with the attacker’s C2 infrastructure.

Microsoft said it mitigated a 2.4 Tbps DDoS attack in August last year, in which the attack traffic came from about 70,000 sources in Taiwan, Japan, China, Malaysia, Vietnam and the United States.

DNS attacks, SYN flood attacks and ACK flood attacks are among the DDoS methods XorDdos uses. It collects information about an infected device, such as the OS version, RAM and CPU statistics, LAN speed, magic string, rootkit presence, etc., and sends it in encrypted form to the C2 server.

The success of the botnet, according to Microsoft, is due to its use of many avoidance and persistence strategies that make it difficult to detect and remove.

Microsoft has examined a 32-bit ELF file that includes debug symbols detailing the specialized malware code for each action. He found that XorDdos has modules with specific detection avoidance functionality.

“Its avoidance options include concealing malware activities, avoiding rule-based detection mechanisms and hash-based malware searches, and using anti-forensic techniques to disrupt process-based analysis.” said the Microsoft 365 Defender research team.

Researchers also found that XorDdos has hidden its malicious activity in recent campaigns by overwriting sensitive zero-byte files.

In addition to launching DdoS attacks, attackers also use the XorDdos botnet to install rootkits, maintain access to infected machines, and possibly drop more malicious payloads.

Microsoft researchers found that systems infected with XorDdos were subsequently infected with other malicious software, such as the Tsunami backdoor, which installed the XMRig coin miner.

The sharp increase in XorDdos activity since December is in line with the findings of a study by cybersecurity company CrowdStrike, which found that Linux malware grew by 35% in 2021 compared to the previous year.

Last week, Microsoft also issued a warning for a new botnet that installs a cryptocurrency miner to install a cryptocurrency miner. Malware is a variant of the Sysrv botnet that works by using security vulnerabilities in the Spring Framework and WordPress plugins.