One particular strain of Linux malware has seen phenomenal growth in the past six months, Microsoft says, urging owners of Linux devices to secure their endpoints.
The Redmond-based software giant claims that usage of the XorDDoS malware over the past six months has increased by 254%. While the primary use case for XorDDoS is, as the name suggests, to create a Distributed Denial of Service (DDoS) botnet, it can also be used as a gateway for distributing additional payloads.
“We found that devices initially infected with XorDdos were later infected with other malware such as the Tsunami backdoor, which further deploys the XMRig coin miner,” Microsoft said in its announcement. “Although we have not observed XorDdos directly installing and distributing secondary payloads like Tsunami, it is possible that the Trojan is being used as a vector for tracking activities.”
XorDDoS, which uses XOR-based encryption to communicate with its C2 servers, is a relatively old strain of malware, which has been around since at least 2014. It owes its longevity to the fact that it is relatively successful in evading detection by antivirus solutions, and has strong perseverance tactics.
“Its evasion capabilities include obfuscating malware activities, evading rule-based detection mechanisms and hash-based malicious file searches, as well as using anti-forensic techniques to break the malware. tree-based analysis,” Microsoft added.
“We have observed in recent campaigns that XorDdos hides malicious activity from scanning by overwriting sensitive files with a null byte.”
The architecture of the endpoint is not a disqualifying factor, however, as the malware has been spotted infecting ARM devices (internet of things equipment), as well as x64 servers. It compromises vulnerable people via SSH brute force attacks.
These results are in line with a recent report by Crowdstrike, which indicates that malware for the popular operating system increased by more than a third (35%) in 2021, compared to the previous year.