XorDdos, a stealthy distributed denial-of-service (DDoS) malware targeting Linux devices has witnessed a massive 254% increase in activity during the last six months, Microsoft revealed in a report.
The malware launches automated password-guessing assaults across thousands of Linux servers to find identical admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration.
Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device. It also employs XOR-based encryption to communicate with the attacker's command and control infrastructure.
The malware enables adversaries to create potentially significant disruptions on target systems and is used to bring in other dangerous threats or to provide a vector for follow-on activities. Microsoft found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner.
"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities," Microsoft wrote in a blog post. The malware can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte.
"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions," Microsoft notes.
The XorDdos payload Microsoft examined is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes that XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is offline.
In recent years, XorDdos has targeted misconfigured Docker clusters in the cloud using compromised systems to overwhelm a target network or service with fake traffic in order to render it inaccessible. According to CrowdStrike, XorDdos was one of the most active Linux-based malware families of 2021, with 35% growth compared to the previous year.
Besides launching DDoS attacks, the malware’s operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads.