A Linux botnet malware known as XorDdos has witnessed a 254% surge in activity over the last six months, according to latest research from Microsoft.
The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is known to have been active since at least 2014.
“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures,” Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team said in an exhaustive deep-dive of the malware.
“Its SSH brute-force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.”
Remote control over vulnerable IoT and other internet-connected devices is gained by means of secure shell (SSH) brute-force attacks, enabling the malware to form a botnet capable of carrying distributed denial-of-service (DDoS) attacks.
Besides being compiled for ARM, x86, and x64 architectures, the malware is designed to support different Linux distributions, not to mention come with features to siphon sensitive information, install a rootkit, and act as a vector for follow-on activities.
In a further sign that the malware could act as a conduit for other threats, devices originally breached with XorDdos are being subsequently infected with another Linux trojan called Tsunami, which then deploys the XMRig coin miner.
In recent years, XorDdos has targeted unprotected Docker servers with exposed ports (2375), using victimized systems to overwhelm a target network or service with fake traffic in order to render it inaccessible.
XorDdos has since emerged as the top Linux-targeted threat in 2021, followed by Mirai and Mozi, accounting for more than 22% of all IoT malware observed in the wild, per cybersecurity firm CrowdStrike.
“XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy,” the researchers noted.
“Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”