Massive Surge in Use of Linux XorDdos Malware ReportedMicrosoft: XorDdos Is Known for Using Secure Shell Brute Force Attacks
Microsoft has observed a 254% increase in activity over the past six months from XorDdos, a Linux Trojan that can be used to carry out distributed denial-of-service attacks and is known for using Secure Shell brute force attacks to gain remote control of target devices.
First discovered by the research group MalwareMustDie project in 2014, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.
"XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices. By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service (DDoS) attacks," according to the Microsoft 365 Defender Research Team.
Microsoft says it mitigated a 2.4 Tbps DDoS attack in August 2021. It says that the attack traffic originated from nearly 70,000 sources in countries including Malaysia, Vietnam, Taiwan, Japan, China and the U.S., but the attack traffic did not reach the targeted client's location and was mitigated in the source countries.
"DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems," Microsoft says.
XorDdos is known for using Secure Shell brute force attacks to gain remote control on target devices, Microsoft says.
SSH is a network protocol in IT infrastructures that enables encrypted communications over insecure networks for remote system administration purposes, making it an attractive vector for attackers.
Once XorDdos finds valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device and uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy.
"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis," say Ratnesh Pandey, Yevgeny Kulakov and Jonathan Bar of the Microsoft 365 Defender Research Team.
The researchers also observed in the recent campaigns that XorDdos can hide malicious activities from analysis by overwriting sensitive files and that it includes various persistence mechanisms to support different Linux distribution.
Initial Attack Vector
The researchers found that the devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coinminer.
"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the Trojan is leveraged as a vector for follow-on activities," Microsoft says.
Microsoft analyzed a 32-bit ELF file, programmed in C/C++, containing debug symbols that detailed the malware's dedicated code for each of its activities. Microsoft uncovered that XorDdos contains modules with specific functionalities to evade detection.
"They use daemon processes that run in the background rather than under the control of users and detach itself from the controlling terminal, terminating only when the system is shut down," Microsoft says.
Derived From XOR Malware
XOR first appeared in 2014, as documented by the researchers behind the Malware Must Die project, who dubbed it XOR.DDoS and said it appeared to have been developed in China.
"Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," researcher Bart Blaze said in a technical teardown of the malware published in 2015. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the [C2s]," aka command-and-control servers. Those servers issue instructions to infected systems, which serve as the bots in the botnet.
Deadlier DDoS Attacks
In a February 2021 blog post that highlighted trends observed in 2020, Microsoft said that DDoS attacks had grown over 50%, with increasing complexity and a significant increase in the volume of DDoS traffic. In 2020, Microsoft said, it mitigated an average of 500 multi-vector attacks on Azure resources on any given day.
According to the blog, the COVID-19 outbreak and subsequent shift to remote working brought about surges in internet traffic that made it easier for attackers to launch DDoS attacks as they no longer had to generate much traffic to bring down services.
During March and April 2020, Microsoft says it mitigated between 800 and 1,000 multi-vector attacks per day.