Some days ago Microsoft released the news about a DDoS malware called “XorDdos” which targets Linux endpoints and servers. Microsoft said it discovered vulnerabilities that allow people who control many Linux desktop systems to quickly gain system rights.
Microsoft employs some of the best security researchers in the world, regularly discovering and fixing important vulnerabilities, often before they are used in ecosystems.
“What this discovery actually proves is what anyone with half a clue already knew: there is nothing about Linux that makes it inherently more reliable than Windows. XorDdos
“Over the last six months, we have seen a 254% increase in activity for a Linux Trojan called XorDdos,” says Microsoft. Another flaw that proves there's nothing in Linux that makes it inherently more reliable than Windows?
DDoS attacks alone can be very problematic for many reasons, but these attacks also they can be used as a cover to hide other malicious activities, such as malware deployment and infiltration of target systems. Using a botnet to conduct DDoS attacks can potentially create significant disruption, such as the 2,4 Tbps DDoS attack that Microsoft mitigated in August 2021.
Botnets can also be used to compromise other devices, and it is known that XorDdos uses Secure Shell brute force attacks (SSH) to take control of target devices remotely. SSH is one of the most common protocols in IT infrastructures and allows encrypted communications over insecure networks in order to manage remote systems, making it an attractive vector for attackers.
After XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device.
XorDdos uses evasion and persistence mechanisms that keep their operations robust and stealthy. Its evasion capabilities include obfuscation of malware activities, evasion of rule-based detection mechanisms, and hash-based search for malicious files, as well as the use of anti-forensic techniques to break process tree-based analysis.
Microsoft says it has seen in recent campaigns that XorDdos hides malicious scanning activity by overwriting sensitive files with a null byte. It also includes several persistence mechanisms to support different Linux distributions. XorDdos may illustrate another trend observed across various platforms, where malware is used to generate other dangerous threats.
Microsoft also says that found that devices infected with XorDdos first were later infected with other malware, as the backdoor which is then implemented by the XMRig coin miner.
“Although we have not observed XorDdos directly installing and distributing secondary payloads like Tsunami, it is possible that the Trojan is being used as a vector to track activities,” says Microsoft.
XorDdos spreads mainly via SSH brute force. It uses a malicious shell script to try various root credential combinations on thousands of servers until it finds a match on a target Linux device. As a result, many failed login attempts can be seen on devices infected with the malware:
Microsoft has determined two of the access methods initial of XorDdos. The first method is to copy a malicious ELF file to the temporary file storage /dev/shm and then run it. Files written to /dev/shm are deleted on system reboot, allowing the source of infection to be hidden during forensic analysis.
The second method is to run a bash script that does the following via the command line, iterate through the following folders to find a writable directory.
The modular nature of XorDdos provides attackers with a versatile Trojan capable of infecting a variety of Linux system architectures. Their SSH brute force attacks are a relatively simple but effective technique for gaining root access on a number of potential targets.
Capable of stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos allows hackers to create potentially significant disruptions to target systems. Additionally, XorDdos can be used to introduce other dangerous threats or provide a vector for tracking activities.
According to Microsoft, by leveraging insights from built-in threat data, including client and cloud heuristics, machine learning models, memory analysis, and behavioral monitoring, Microsoft Defender for Endpoint can detect and remediate XorDdos and its modular multi-stage attacks.
Finally, if you are interested in knowing more about it, you can check the details In the following link.