A strain of Linux malware has been growing rapidly in the last six months. Microsoft is now urging owners to take several steps to secure their Linux devices.
Microsoft found that Linux devices that were first infected by XorDdos were then infected by malware, the Tsunami backdoor. Once the Tsunami backdoor infiltrates the device, it deploys the XMRif coin miner.
In an announcement by Microsoft, "While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities."
The XorDdos payload is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft also notes that it utilizes daemon process, which runs in the background beyond the control of users, and it then terminates when the system is shutdown.
However, the malware can relaunch automatically when a system is started through several scripts and commands that allow it to run when a system boots.
The XorDdos
This isn't the first time XorDdos has targeted Docker servers that are unprotected with exposed ports. It has attacked systems to overwhelm a target network or service with fake traffic to make it inaccessible.
With that, it has been named the top Linux-targeted threat in 2021. Furthermore, it has also been revealed that Linux malware families increased by roughly 40 percent in 2020 compared to 2019, according to a February 2021 report by Intezer.
According to researchers, it uses evasion and persistence mechanisms that make its operations stealthy and robust. The evasion capabilities include evading any rule-based detection mechanisms, the use of anti-forensic techniques, and obfuscating the malware's activities.
The XorDdos can conduct multiple attach techniques, such as DNS, SYN, and ACK attacks. It collects characteristics about an infected device, such as the magic string OS release version, rootkit presence, CPU information, and LAN speed, which are all encrypted and sent to the C2 server.
The Syrsrv-K
Earlier this week, Microsoft said that another botnet is targeting Windows. A new variant of Sysrv botnet is out there that is taking advantage of a flaw in the Spring Framework. The botnet installs cryptocurrency mining malware on Windows platforms as well as on other Linux systems.
A tweet from Microsoft reads, "Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself."
It also observed a new capability of the new variant that supports new communication, which includes its ability to use a Telegram bot.
This article is owned by Tech Times
Written by April Fowell