XorDdos Malware Detection: Microsoft Warns of an Alarming Surge of DDoS Attacks Targeting Linux

In May 2022, Linux-based systems are getting exposed to a number of threats coming from multiple attack vectors. Early this month, the BPFDoor surveillance implant hit the headlines compromising thousands of Linux devices. Another threat targeting Linux systems is looming on the horizon. Microsoft has observed an enormous surge of malicious activity from Linux XorDdos Trojan, which has almost tripled over the last half a year. The infamous DDoS malware has received its name due to the stealthy activity leveraging denial-of-service attacks on Linux devices and the use of XOR encryption algorithm for C&C server communication.

Detect Linux XorDdos Malware 

To help organizations protect their Linux-based environments against the malicious XorDdos activity, SOC Prime’s platform curates a batch of new Sigma rules crafted by our prolific Threat Bounty Program developers, Onur Atali and Joseph Kamau:

Possible XorDdos Malware (May 2022) Execution by Detection of Associated Files (via file_event)

Possible XordDos Malware Renaming Wget Linux Binary Activity (via process_creation)

Both detection rules are compatible with the industry-leading SIEM, EDR, and XDR technologies supported by SOC Prime’s platform and aligned with the MITRE ATT&CK® framework. The Sigma rule that detects the potential XorDdos-induced attacks via file_event addresses the Execution and Defense Evasion tactics with the corresponding Command and Scripting Interpreter (T1059) and Process Injection (T1055) techniques, while the content item based on the process_creation log source addresses the Masquerading (T1036) technique related to the Defense Evasion tactic arsenal. 

Click the View Detections button to reach the entire collection of curated, context-enriched detection algorithms tailored to the unique security environments and the organization-specific threat profiles. Looking for ways to make your own contribution to the collaborative cyber defense? Join our Threat Bounty Program to craft detections and monetize your input.

View Detections Join Threat Bounty

Linux XorDdos Analysis 

XorDdos DDoS malware has been in the spotlight in the cyber threat arena since 2014. According to the latest Microsoft’s research, the malware has recently seen a rapidly growing trend targeting Linux OS that is normally deployed in the cloud and on IoT infrastructures. XorDdos amasses botnets to carry out DDoS attacks that can massively abuse thousands of servers, as in the case of the infamous memcached server exploitation.

Another attack vector involving XorDdos Trojan includes SSH brute force attacks. In this case, XorDdos uses root privileges to gain remote control after identifying SSH credentials, then launches a malicious script that further installs the malware sample on the compromised device. 

XorDdos activity is considered to be stealthy and hard to detect due to its persistence and the ability to evade anti-malware scanning. Further XorDdos details include its role in triggering the infection chain aimed to deliver other malware strains, such as the Tsunami backdoor, which is used to drop XMRig cryptominer on the targeted system and spread the infection further.

Microsoft suggests a set of mitigations to help teams safeguard their Linux-based environments against potential DDoS attacks, such as enabling cloud-delivered and network protection, using device discovery, and configuring automated remediation and investigation procedures to combat alert fatigue. 

With continuously advancing threats and growing attack volumes, there are increasing demands for universal cybersecurity solutions that can be applied across multiple devices regardless of the OS in use. Joining SOC Prime’s Detection as Code platform enables organizations to reinforce their cyber defense capabilities by offering an extensive collection of detection algorithms tailored to 25+ SIEM, EDR, and XDR technologies and covering a wide range of organizations-specific log sources.