A Linux botnet malware known as XorDdos has witnessed a 254% increase in activity in the last six months, according to the latest research from Microsoft.

The Trojan, named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command and control (C2) server, is known to have been active since at least 2014.

XorDdos performs automated password guessing attacks via brute force attacks on thousands of Linux servers to find matching administrator credentials used on servers with SSH. After obtaining the credentials, XorDDoS uses root privileges to install itself on the Linux system and uses XOR-type encryption to communicate with the attacker’s command and control infrastructure.

This malware is designed to support different Linux distributions, not to mention that it comes with features to siphon sensitive information, install a rootkit, and act as a vector for tracking activities.

In another sign that the malware could act as a conduit for other threats, devices that were originally breached with XorDdos are subsequently infected with another Linux Trojan called Tsunami, which then implements the XMRig coin miner.

XorDDoS was one of the most active Linux focused malware families during 2021 and has benefited from the growth of Internet of Things (IoT) devices, which mostly run on Linux variants, but has also targeted to misconfigured Docker clusters in cloud services.

As we have always said, the passwords of your accounts are the main defense against cybercriminals and that is why we must strengthen it and change it from time to time.


Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *