Microsoft says it has observed a 254% increase in activity over the last six months from an eight-year-old Linux trojan targeting Linux-based operating systems on cloud infrastructures and IoT devices.
The malware, called XorDdos, is named after its attack method, denial of service on Linux endpoints and servers, in addition to XOR-based encryption for its communications, according to a Microsoft security blog.
What makes this malware noteworthy is its ability to amass botnets that can be used to carry out large DDoS attacks, which Microsoft says can be used to hide further malicious activities, such as deploying malware and infecting other systems and devices.
According to Microsoft, XorDdos is known for using Secure Shell (SSH) brute force attacks to gain remote control on target devices, leveraging widely used IT infrastructure protocol that enables encrypted communications over insecure networks for remote system administration activities that makes it an attractive target for attackers. XorDdos identifies valid SSH credentials and uses root privileges to run a script that downloads and installs the malware on the target device, per the blog.
The Linux trojan is also sneaky; it uses evasion and persistence tactics that allow it to remain active and very hidden, including obfuscating its activities; evading rule-based detection and hash-based file lookup, as well as leveraging anti-forensic techniques to break process tree-based analysis, according to Microsoft.
In recent campaigns, Microsoft observed XorDdos hiding malicious activities from analysis by overwriting sensitive files with a null byte, as well as other various persistence mechanisms to support different Linux distributions.
This is part of an alarming trend in which a DDoS trojan is used to deliver other malware, as devise first infected with XorDdos were later infected with the Tsunami backdoor, which Microsoft says further deploys a cryptocurrency miner. However, XorDdos did not directly install and distribute those secondary payloads. Instead, the trojan may be leveraged as a vector for follow-on activities, the company says.
For more information, including indicators of compromise, read Microsoft’s blog.