The Microsoft 365 Defender Research Team has observed a 254% increase in activity from a Distributed Denial of Service (DDoS) oriented malware known as XorDdos. The moniker of this malware is derived from its DDoS related abilities and its use of XOR-based encryption for Command and Control (C2) communications.
XorDdos is known for using SSH brute force attacks to gain control of remote devices, as well as it’s evasion and persistence mechanisms. This malware can also be used to deliver various other malicious scripts and executables.
This malware employs a number of evasion tactics such as daemonizing processes to break process-tree based analysis, XOR-based encryption, process masquerading, kernel rootkits, and process and port obfuscation. In concert, these methods make detection of this threat more complicated and comprehensive.
In regards to persistence mechanisms, XorDdos has a number of them in its arsenal including:
- Init scripts
- Cron scripts
- System V runlevel
- Auto-start services via update-rc.d
These offer the threat actor a myriad of ways to maintain persistence, as well as compatibility with many different types of Linux, including Linux running on IoT devices.