A stealthy and modular malware, known as XorDDoS, that used to hack into Linux devices and build a distributed denial-of-service (DDoS) botnet has seen a massive 254% increase in activity during the last six months, Microsoft revealed in a report.
This malware was disclosed by the cyber security research group MalwareMustDie in 2014 and is found to be active since then. XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.
The report detailed that XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed massive DDoS attacks.
“Using a botnet to perform DDoS attacks can potentially create significant disruptions, such as the 2.4 Tbps DDoS attack Microsoft mitigated in August 2021. DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems,” the Microsoft 365 Defender Research Team said.
Besides launching DDoS attacks, the malware’s operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads.
“While we did not observe XorDDos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities,” it added.
The surge in XorDDoS activity as Microsoft detected corresponds with a report by cybersecurity firm CrowdStrike in January this year which said that Linux malware had seen a 35% growth during 2021 compared to the previous year.
XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all malware attacks targeting Linux devices observed in 2021.
The report added, “Of the three, CrowdStrike said that XorDDoS saw a notable year-over-year increase of 123%, while Mozi had an explosive activity growth, with ten times more samples detected in the wild throughout last year.”