The Microsoft 365 Defender research team warned that there has been a 254% spike in activity from a Linux malware called XorDdos in the last six months.
What Is a XorDdos?
According to the research team, XorDdos is a growing trend of malware focusing on Linux-based operating systems. It is extensively used in cloud infrastructures and IoT devices.
XorDdos amass botnets that can be used to execute distributed denial-of-service (DDoS) attacks by exploiting IoT and other internet-connected devices. Using a botnet to launch DDoS attacks has the potential to cause major disruptions.
DDoS attacks can be harmful in and of themselves for a variety of reasons. Still, they can also be used as a cover for other nefarious operations, including malware distribution and infiltration of target systems.
Microsoft noted that XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers, as well as its use of XOR-based encryption for its communications. It was first detected in 2014 by the research group MalwareMustDie.
Technical Analysis
Cyber Security News reported that XorDDoS affects Linux systems ranging from ARM (IoT) to x64 (servers) as part of its SSH brute-force attacks, and targets Linux systems that are vulnerable to it.
It propagates to as many machines as possible using a shell script that logs in as root with different passwords to new computers found online until a match is found.
Tsunami, a Linux Trojan that installs the XMRig miner after being breached, can infect devices hacked by XorDdos. For the past few years, XorDdos has been reportedly targeting open ports (2375) on unprotected Docker servers.
The malware is used by XorDDoS' operators not just to perform DDoS attacks against vulnerable computers, but also to deploy the following:
- Install rootkits
- Sustain access to the hacked devices
- Drop more malicious payloads
XorDDoS, Mirai, and Mozi are the most common malware families, accounting for 22% of all malware attacks identified in 2021 targeting Linux devices.
XorDDoS, on the other hand, has seen a considerable surge in activity over the last year, with a 123% increase. This year, ten times more Mozi samples were discovered in the wild than the previous year, showing exponential growth.
There Has Been an Increase of DDoS Attacks in the Past 2 Years
As per the news report of Gov Info Security, citing a Microsoft blog in February 2021, DDoS attacks have increased by over 50%, with rising complexity and a large increase in DDoS traffic. Microsoft claims that on any given day in 2020, it will have mitigated an average of 500 multi-vector attacks against Azure resources.
The blog claims the COVID-19 outbreak and subsequent move to remote working resulted in a boom in internet traffic, making it easier for attackers to launch DDoS attacks because they didn't have to generate as much traffic to bring down services.
Microsoft claims it mitigated between 800 and 1,000 multi-vector attacks each day between March and April 2020.