Microsoft recently announced that a stealthy malware dubbed XorDDoS had set a record of about a 254% increase in malicious activities in the past six months. The malware was given its name after using XOR-based encryption in its attacks while communicating with its C2 servers and employing it to execute DDoS or distributed denial-of-service attacks.
The recent surge of malicious activities performed using the XorDDoS malware could be due to threat actors using it in most of their security evasion and persistence tactics, enabling their stealth in an infected machine that makes them hard to be removed.
As explained by Microsoft, the XorDDoS botnet’s evasion features involve hiding its activities inside a network, bypassing rule-based detection structures and hash-based malicious file lookup, and using advanced anti-analysis methods.
Security analysis solutions were avoidable hindrances for the botnet since it can hide malicious movements from them by overwriting and injecting files with an exploitation technique called null byte.
Past reports involving the malware include targeting Linux system architectures and hitting ones with critical flaws with SSH brute-force attacks. The malware also utilises shell script to spread itself laterally across networks and devices, which will try to log in as root using various passwords towards a vast of internet-exposed systems until finding the perfect account to match.
XorDDoS operators also use the malware to install rootkits, sustain access to compromised servers, and drop additional payloads for future attacks. According to Microsoft, they have observed several compromised devices infected with the botnet that was later found being infected again with more malware strains.
Furthermore, the surge of the malware’s detected malicious activities in the past six months has matched with a separate report about the Linux malware seeing at least 35% of growth last year compared to 2020.
Microsoft also listed three of the most prevalent malware families from their analysis, including XorDDoS, Mirai, and Mozi, accounting for 22% of all malware attacks since last year that had hit Linux devices.