One particular strain of Linux malware has seen tremendous growth in the last six months, Microsoft says, urging Linux device owners to secure their endpoints.
The Redmond software giant claims XorDDoS malware’s usage in the last six months rose by 254%. While XorDDoS’ primary use case is, as its name would suggest, to build a Distributed Denial of Service (DDoS) botnet, it can also be used as a gateway for the distribution of additional payloads.
“We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner,” Microsoft said in its announcement. “While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it’s possible that the trojan is leveraged as a vector for follow-on activities.”
XorDDoS, which uses XOR-based encryption to communicate with its C2 servers, is a relatively old malware strain, that’s been around since at least 2014. It owes its longevity to the fact that it’s relatively successful in evading detection by antivirus solutions, and has solid persistence tactics.
“Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis,” Microsoft further said.
“We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte.”
The endpoint’s architecture isn’t an eliminatory factor, though, as the malware has been spotted infecting ARM devices (Internet of Things gear), as well as x64 servers. It compromises vulnerable ones via SSH brute-force attacks.
These findings are aligned with a recent report by Crowdstrike, which said malware for the popular OS increased by more than a third (35%) in 2021, compared just to the year prior.