A particular strain of Linux malware has grown exponentially over the past six months, Microsoft says, urging Linux device owners to secure their endpoints.
The Redmond software giant claims that the use of XorDDoS malware has increased by 254% in the last six months. However, in the case of the initial use of XorDDoS, as its name implies, to create a Distributed Denial of Service (DDoS) botnet, it can also be used as a gateway for additional payload distribution.
“We have seen that devices infected by XorDdos were later infected with additional malware, such as Tsunami Backdoor, which further degraded the XMRig coin miner,” Microsoft said in a statement. “Although we have not seen XorDdos install and distribute secondary payloads directly like Tsunami, it is possible that Trojan has been used as a vector for follow-on activities.”
XorDDoS, which uses XOR-based encryption to communicate with its C2 server, is a relatively old malware strain that has been around since at least 2014. Its longevity is due to the fact that it is relatively successful in avoiding detection by antivirus solutions, and a difficult and persistent strategy.
“Its evading capabilities include obscuring malware activity, avoiding rule-based detection processes and hash-based malicious file lookups, as well as using anti-forensic techniques to disrupt process tree-based analysis,” Microsoft said.
“We’ve seen in recent campaigns that XorDdos hides malicious activity from analysis by overwriting sensitive files with a null byte.”
The endpoint architecture is not a eliminating factor, however, the malware has been found to infect ARM devices (Internet of Things gear) as well as x64 servers. It compromises with the weak through SSH brute-force attacks.
These results are consistent with a recent report by CrowdStrike, which states that malware for the popular OS increased by one-third (35%) in 2021 compared to the previous year.
Via: Blipping computer