Cyber Security News

XorDdos – Powerful DDoS Malware Attack Linux Devices

Over the past six months, a stealthy and modular Linux malware called XorDdos has witnessed a significant rise of 254% increase in its activity.

Why this malware has been named “XorDdos”? 

While communicating with C2 servers this stealthy malware use XOR-based encryption and not only that even it is employed by the threat actors on the compromised devices to launch DDoS attacks.

That’s why this stealthy and modular Linux malware is known as “XorDdos,” and apparently, the malware has been active since at least 2014, but it is not known when it was first discovered.

To remain stealthy and hard to remove, the botnet is likely to use different evasion and persistence tactics.

Here’s what Microsoft 365 Defender Research Team stated:-

“Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”

“We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte.”

Technical Analysis

As part of its SSH brute-force attacks, XorDDoS compromises Linux systems from ARM (IoT) to x64 (servers), and targets Linux systems that are vulnerable to it.

It uses a shell script to propagate to as many machines as possible by logging in as root with different passwords to new computers located online until a match is found.

XorDDoS’ operators use the malware not only to launch DDoS attacks against vulnerable systems but also to deploy the following things:-

  • Install rootkits
  • Sustain access to the hacked devices
  • Drop more malicious payloads

Devices compromised by XorDdos can also be infected with Tsunami, a Linux Trojan that installs the XMRig miner after being breached. It has been reported that XorDdos has been targeting open ports (2375) on unprotected Docker servers for the past few years.

In a report by CrowdStrike, the growth of Linux malware for 2021 was 35% higher than the previous year, according to the huge increase in XorDDoS activity that Microsoft detected since December.

While 22% of all malware attacks observed in 2021 targeted Linux devices were attributed to the XorDDoS, Mirai, or Mozi and all of these are the most widespread families.

However, XorDDoS experienced a significant increase in activity year-over-year, with a 123% increase in the last year. There were ten times more Mozi samples found in the wild this year than they had the year before, indicating exponential growth.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

3 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

16 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

17 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

19 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

20 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

24 hours ago