"Microsoft Detects Massive Surge in Linux XorDDoS Malware Activity"

According to Microsoft, the activity of the stealthy and modular malware strain used by hackers to infiltrate Linux devices and compose a Distributed Denial-of-Service (DDoS) botnet has increased by 254 percent in the last six months. This malware is known as XorDDoS or XOR DDoS because it uses XOR-based encryption when communicating with command-and-control (C2) servers and is used to execute DDoS attacks. Microsoft revealed that the botnet's success stems from its extensive use of a variety of evasion and persistence techniques that enable it to remain stealthy and difficult for security teams to remove. The Microsoft 365 Defender Research Team found that XorDDoS is capable of obfuscating its activities, circumventing rule-based detection mechanisms, using anti-forensic techniques to break process tree-based analysis, and more. In recent campaigns, XorDDoS was observed overwriting sensitive files with a null byte to hide malicious activities from analysis. XorDDoS is known for compromising vulnerable Linux system architectures in SSH brute-force attacks. It uses a shell script that tries to log in as root using different passwords against thousands of Internet-exposed computers until it finds a match. In addition to launching DDoS attacks, the malware's operators use the XorDDoS botnet to install rootkits, maintain access to compromised devices, and drop additional malicious payloads. This article continues to discuss findings surrounding the surge in XorDDoS activity. 

Bleeping Computer reports "Microsoft Detects Massive Surge in Linux XorDDoS Malware Activity"